meta-phosphor: fix openssh key generation on read-only-rootfs types Some of our file system layouts enable the `read-only-rootfs` feature, which happens to trigger some code in rootfs-postcommands.bbclass that moves the SSH key location from `/etc` to `/var`. For Dropbear, the default was to move it to `/var/lib`, which we happen to put into an overlay, but for OpenSSH it moved it to `/var/run`. The result of this is that the SSH key is regenerated on each reboot. In order to bypass this code that expects the SSH key to be in a volatile file system, Yocto provides the `overlayfs-etc` IMAGE_FEATURE as well. We need to enable this, but this feature as a side-effect generates an alternative `/sbin/init` similar to what we do for pre-mounting the overlay. We need to disable this aspect so I've set some variables and appends to cause `overlay-etc.bbclass` to have no effect. Lastly, the result of all of this is that the location for the dropbear key moves from `/var/lib` to `/etc` (which is what the default is on the jffs2-based layouts already). Add some migration services that will move existing keys in the old location over to `/etc` so that users do not notice a host key change as part of this. Tested: Tested on Bletchley (OpenSSH) and Witherspoon (Dropbear). Bletchley no longer regenerates the SSH key on each reboot. Witherspoon has the key location in `/etc/dropbear` as expected and the migration service successfully runs before the `dropbearkey.service`. ``` May 05 21:46:40 witherspoon systemd[1]: Starting SSH Key Generation... May 05 21:46:41 witherspoon sh[268]: Generating 2048 bit rsa key, this may take a while... May 05 21:47:13 witherspoon sh[268]: Public key portion is: May 05 21:47:13 witherspoon sh[268]: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgiywAIF3RleqNphZZuUjNCXDI10ChEAoPI02/g9F8CiXI2Pc55nFHh/hrTn7niawydpEc8FH62rf1WpoA5hYkKrj/j6i2Iv1UrGFZX4q9IwlFcd3... May 05 21:47:13 witherspoon sh[268]: Fingerprint: SHA256:tsjx4PBtcaiLnUCFh4XESPRnTXoGsgujVrbdJD4INMY May 05 21:47:13 witherspoon systemd[1]: Finished SSH Key Generation. ``` Manually moved the key to `/var/lib` and rebooted and observed the same key moved back to `/etc` (on Witherspoon). ``` May 05 21:49:01 witherspoon systemd[1]: Starting Migrate dropbear keys from /var/lib to /etc... May 05 21:49:02 witherspoon migrate-key-location[194]: Migrating Dropbear key from /var/lib to /etc. May 05 21:49:11 witherspoon systemd[1]: Finished Migrate dropbear keys from /var/lib to /etc. May 05 21:49:14 witherspoon systemd[1]: Starting SSH Key Generation... May 05 21:49:18 witherspoon systemd[1]: Finished SSH Key Generation. ``` After one last reboot, the key in `/etc` is reused: ``` May 05 21:51:44 witherspoon systemd[1]: Starting SSH Key Generation... May 05 21:51:45 witherspoon systemd[1]: Finished SSH Key Generation. ``` Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: I68b6c383f91931995e3d3203e5aafd8fdc23f750

commit: a0e20ab1b2e57f672f5840e88e819684b8ffa717 [log] [tgz]
author: Patrick Williams <patrick@stwcx.xyz> Fri May 05 16:31:59 2023 -0500
committer: Patrick Williams <patrick@stwcx.xyz> Tue May 09 11:36:21 2023 +0000
tree: e4e5b0903e30eb6e5b4761a1331fd2f46860881a
parent: 8a7ef2478ffcc274cada83d59fd8641328d0eae6 [diff]
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service b/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service
new file mode 100644
index 0000000..f8c12bf
--- /dev/null
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/dropbear-migrate-key-location.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Migrate dropbear keys from /var/lib to /etc
+Before=dropbearkey.service
+ConditionPathExists=/var/lib/dropbear/dropbear_rsa_host_key
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+ExecStart=/usr/libexec/dropbear/migrate-key-location
+
+[Install]
+WantedBy=dropbearkey.service

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location b/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location
new file mode 100644
index 0000000..ce96894
--- /dev/null
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/migrate-key-location

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]; then
+    if [ -e /var/lib/dropbear/dropbear_rsa_host_key ]; then
+        echo "Migrating Dropbear key from /var/lib to /etc."
+        mkdir -p /etc/dropbear
+        mv /var/lib/dropbear/dropbear_rsa_host_key /etc/dropbear
+    else
+        echo "No Dropbear key found in /var/lib."
+    fi
+fi

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
index a3cbd1b..6448fbf 100644
--- a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend
+++ b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend

@@ -6,8 +6,21 @@
 SRC_URI += "file://dropbearkey.service \
             file://localoptions.h \
             file://dropbear.default \
+            file://dropbear-migrate-key-location.service \
+            file://migrate-key-location \
            "
 
 # pull in OpenSSH's /usr/libexec/sftp-server so we don't have to rely
 # on the crufty old scp protocol for file transfer
 RDEPENDS:${PN} += "openssh-sftp-server"
+
+# Add service to migrate the dropbear keys from /var/lib to /etc.
+do_install:append() {
+    install -d ${D}${base_libdir}/systemd/system
+    install -m 0644 ${WORKDIR}/dropbear-migrate-key-location.service \
+        ${D}${base_libdir}/systemd/system
+
+    install -d ${D}${libexecdir}/${BPN}
+    install -m 0755 ${WORKDIR}/migrate-key-location ${D}${libexecdir}/${BPN}
+}
+SYSTEMD_SERVICE:${PN}:append = " dropbear-migrate-key-location.service"

diff --git a/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb b/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb
index 974b911..7759b7e 100644
--- a/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb
+++ b/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb

@@ -39,7 +39,7 @@
         obmc-user-mgmt-ldap \
         ${@bb.utils.contains_any('DISTRO_FEATURES', \
             'obmc-ubi-fs phosphor-mmc obmc-static-norootfs', \
-            'read-only-rootfs', '', d)} \
+            'read-only-rootfs overlayfs-etc', '', d)} \
         ssh-server-dropbear \
         obmc-debug-collector \
         obmc-network-mgmt \
@@ -49,3 +49,15 @@
 # The shadow recipe provides the binaries(like useradd, usermod) needed by the
 # phosphor-user-manager.
 ROOTFS_RO_UNNEEDED:remove = "shadow"
+
+# We need to set overlayfs-etc so that the dropbear/openssh keys don't end up
+# in a volatile file system, but we always have our own init that sets these
+# up.  Add enough bogus values here that rootfs-postcommands.bbclass does what
+# we want without overlayfs-etc.bbclass messing things up.
+OVERLAYFS_ETC_USE_ORIG_INIT_NAME="0"
+OVERLAYFS_ETC_MOUNT_POINT = "/this/is/unused"
+OVERLAYFS_ETC_FSTYPE = "not_a_fs_type"
+OVERLAYFS_ETC_DEVICE = "/dev/null"
+python create_overlayfs_etc_preinit:append() {
+    os.unlink(preinitPath)
+}
commit	a0e20ab1b2e57f672f5840e88e819684b8ffa717	[log] [tgz]
author	Patrick Williams <patrick@stwcx.xyz>	Fri May 05 16:31:59 2023 -0500
committer	Patrick Williams <patrick@stwcx.xyz>	Tue May 09 11:36:21 2023 +0000
tree	e4e5b0903e30eb6e5b4761a1331fd2f46860881a
parent	8a7ef2478ffcc274cada83d59fd8641328d0eae6 [diff]