v5.2.3

flowzone-app[bot] · web-flow · commit b096b00967d0 · 2024-03-22T10:26:07.000Z
diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml
@@ -1,3 +1,350 @@
+- commits:
+    - subject: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
+      hash: 677757980fc2453660258e6a47a6d261556ba1e3
+      body: Update layers/meta-balena
+      footer:
+        Changelog-entry: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
+        changelog-entry: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
+      author: Self-hosted Renovate Bot
+      nested:
+        - commits:
+            - subject: mv docs/{,uefi-}secure-boot.md
+              hash: 18e35c55cb486d93aadc43df1f5e0db0ef840c03
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "docs: secure-boot: update for PCR7 sealing"
+              hash: e3c6131e6979390292c72e5e18c96d83165096fe
+              body: >
+                Update secure boot docs to reflect changes made for PCR7
+                sealing,
+
+                including:
+
+
+                * No first boot needed anymore to reach secure state
+
+                * PCR roles
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers: compute_pcr7: merge event log digests"
+              hash: e10d67084621e5ce10f14557f2466e91ff684b41
+              body: >
+                The main variables measured into PCR7 to ensure secure boot
+
+                configuration integrity are the state and EFI vars, including
+                PK, KEK,
+
+                db, dbx, etc.
+
+
+                However, some systems have firmware that will measure other,
+                unexpected
+
+                events, such as "DMA Protection Disabled" (related to a Windows
+                feature
+
+                [0]), or "Unknown event type" with strange data.
+
+
+                These events can't be predicted, and other devices may have
+                different
+
+                measured events that aren't compliant with the TCG spec, so
+                attempt to
+
+                check the TPM event log and extend our digest with any unknown
+                events
+
+                that fit the bill.
+
+
+                [0]
+                https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: Update policy's PCR7 value in hostapp-update hook
+              hash: f05deea2cd1003e186fa7756eecf8f113db26a7f
+              body: >
+                When performing a hostapp-update, we may touch file and efivars
+                that are
+
+                measured into PCR7. Re-generate the predicted value and reseal
+                the LUKS
+
+                passphrase using this new digest.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: compute_pcr7: allow overriding efivars"
+              hash: 3e0911a5c4317ea4b9ca03a7816ce600e5b202c5
+              body: >
+                When computing the digest of PCR7, it may be necessary to
+                override the
+
+                input variables used, in order to predict the value on the next
+                boot.
+
+                Allow these inputs to be overridden using function parameters.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: Move policy update to HUP commit hook
+              hash: 80f9bd84de394aa728ed802a2d4c02f3a87f370b
+              body: >
+                When migrating the TPM2 policy used to secure the LUKS
+                passphrase to use
+
+                different PCRs, we temporarily want to maintain fallback
+                capability in
+
+                case the newly installed hostapp doesn't pass healthchecks. This
+                allows
+
+                the system to boot back into the original OS and try again.
+
+
+                In order to do so, we leave the passphrase in place with the old
+                PCR
+
+                authentication policy. The cryptsetup hook in the initramfs will
+                try
+
+                PCRs 0,2,3,7 and if those don't work we fallback to the original
+                PCRs.
+
+
+                Once the new system successfully boots, we'll re-encrypt the
+                passphrase
+
+                and use the new PCRs to create a policy to secure the key.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "rollback-health: move apply-dbx to HUP commit hook"
+              hash: 3d78d26366b284313ea718adb8d5498ac4f27e1f
+              body: >
+                This operation is done after rollback-health completes and the
+                new OS is
+
+                running to ensure the OS is healthy before appending to the
+                forbidden
+
+                signatures list.
+
+
+                Move this out of rollback-health and into a HUP commit hook,
+                which
+
+                allows it to be excluded from OS images that don't use EFI or
+                support
+
+                secure boot.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "hostapp-hooks: include 0-signed-update only for efi"
+              hash: 328222014146f0116e0208443f3e255d0e85ef15
+              body: >
+                This hook is only applicable for EFI machines. Include it in the
+                build
+
+                only when MACHINE_FEATURES includes EFI.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "secure boot: seal luks passphrase w/ PCR7"
+              hash: 86460d1fa00e40caa1e3edd3ebed5d2098dafe31
+              body: ""
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "os-helpers-tpm2: separate authentication from crypto"
+              hash: 6a4e3cd2f48dc7e48acc35f04200317397d6d0b1
+              body: >
+                When encrypting the LUKS passphrase, we need the ability to
+                construct a
+
+                policy that can logically OR together multiple policies, such as
+                when
+
+                the machine may or may not measure binaries loaded through EFI
+                boot
+
+                services into PCR7.
+
+
+                We also need the ability to update the sealing policy to revoke
+
+                previously valid configurations, such as after
+                hostapp-healthcheck
+
+                completes successfully. Ideally, this should be completed before
+
+                modifying any efi variables, to prevent the system from becoming
+
+                unbootable in the event of an interrupted update.
+
+
+                These requirements necessitate the ability to create sealing
+                policies
+
+                and authenticate against them outside of the
+                hw_{en,de}crypt_passphrase
+
+                functions.
+
+
+                This commit allows the caller to setup the sealing policy when
+
+                encrypting, and choose what kind of authentication to use when
+
+                decrypting.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "tcgtool: new recipe"
+              hash: 5217a6c8e8599f18ef84d319fb41049c476be265
+              body: >
+                Create recipe for tcgtool, a program that replicates the
+                structures used
+
+                to represent data measured and hashed to extend TPM PCRs.
+
+
+                This is useful to compute a PCR hash at runtime, which is
+                normally
+
+                computed by the firmware before the OS boots. This allows for
+                adjusting
+
+                a TPM2 policy to unlock the disk encryption passphrase with the
+                updated
+
+                state on the next boot.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "recipes-bsp: add recipe for GRUB 2.12"
+              hash: 27808e2da6740bcd17d435aa15d644fef7b2b69c
+              body: >
+                This version changes how kernel images are booted, passing them
+                to the EFI
+
+                boot services LoadImage method, which uses EFISTUB and retains
+                the TPM
+
+                event log in memory.
+
+
+                Copy this recipe from Poky rev 43f9098. This may be removed once
+                Poky is
+
+                bumped to Scarthgap (5.0).
+
+
+                More info: https://edk2.groups.io/g/devel/topic/93730585
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "tests: skip bootloader config integrity check"
+              hash: ad70f51fcc899dd3ec521c280c0a074302f7498f
+              body: >
+                GRUB 2.12 no longer outputs the escape codes the previous
+                version did.
+
+                Skip this test until we can patch the bootloader to output a
+                string we
+
+                can match against.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+            - subject: "secureboot: enroll kernel hash in db for EFISTUB"
+              hash: 45fe30fcc01bb2f3c423c11e2ea244546da30d57
+              body: >
+                Generate hash for second stage bootloader and enroll in db
+                efivar to
+
+                allow the firmware to verify the image for booting when using
+                EFISTUB.
+
+
+                This is necessary to update to GRUB 2.12, which passes the EFI
+                image to
+
+                the EFI boot services LoadImage method, which then validates the
+                image
+
+                when secure boot is enabled.
+              footer:
+                Change-type: patch
+                change-type: patch
+                Signed-off-by: Joseph Kogut <joseph@balena.io>
+                signed-off-by: Joseph Kogut <joseph@balena.io>
+              author: Joseph Kogut
+              nested: []
+          version: meta-balena-5.2.3
+          title: ""
+          date: 2024-03-22T08:48:01.071Z
+  version: 5.2.3
+  title: ""
+  date: 2024-03-22T10:26:00.680Z
 - commits:
     - subject: Update contracts to 2de35264348458938cf5c85c28660a58a1e8066a
       hash: 94d0ed9119f4f37fa106caff3986f66fde4f63ea
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file
 
+# v5.2.3
+## (2024-03-22)
+
+
+<details>
+<summary> Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c [Self-hosted Renovate Bot] </summary>
+
+> ## meta-balena-5.2.3
+> ### (2024-03-22)
+> 
+> * mv docs/{,uefi-}secure-boot.md [Joseph Kogut]
+> * docs: secure-boot: update for PCR7 sealing [Joseph Kogut]
+> * os-helpers: compute_pcr7: merge event log digests [Joseph Kogut]
+> * Update policy's PCR7 value in hostapp-update hook [Joseph Kogut]
+> * os-helpers-tpm2: compute_pcr7: allow overriding efivars [Joseph Kogut]
+> * Move policy update to HUP commit hook [Joseph Kogut]
+> * rollback-health: move apply-dbx to HUP commit hook [Joseph Kogut]
+> * hostapp-hooks: include 0-signed-update only for efi [Joseph Kogut]
+> * secure boot: seal luks passphrase w/ PCR7 [Joseph Kogut]
+> * os-helpers-tpm2: separate authentication from crypto [Joseph Kogut]
+> * tcgtool: new recipe [Joseph Kogut]
+> * recipes-bsp: add recipe for GRUB 2.12 [Joseph Kogut]
+> * tests: skip bootloader config integrity check [Joseph Kogut]
+> * secureboot: enroll kernel hash in db for EFISTUB [Joseph Kogut]
+> 
+
+</details>
+
 # v5.2.2+rev1
 ## (2024-03-21)
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.2.2+rev1
+5.2.3
