RDKEMW-9437 : Secure Unlock of Debug services(overrides) in LabSigned Build type #433
Conversation
Added the changes to remove rebootSTB script move reboot to background for pid monitoring
RDKEMW-8677:Clean up the mitigation done for dnsmasq restart
|
I have read the CLA Document and I hereby sign the CLA 2 out of 3 committers have signed the CLA. |
There was a problem hiding this comment.
Pull request overview
This PR has a critical discrepancy between its stated purpose and actual implementation. The title and description claim this is for "RDKEMW-9437: Secure Unlock of Debug services(overrides) in LabSigned Build type," but the actual changes implement three completely different issues as documented in the CHANGELOG: RDKEMW-8677 (dnsmasq cleanup), RDKEMW-8748/RDKTV-38567 (soft reboot fixes), and RDKEMW-8560 (scheduled reboot removal).
Changes:
- Removed scheduled reboot functionality (deleted rebootSTB.sh and scheduled-reboot.service)
- Modified reboot logic to execute reboot command in background with 90-second timeout and unconditional force reboot fallback
- Removed dnsmasq restart logic from NetworkManager dispatcher
- Added unused LABSIGNED_ENABLED property to device.properties
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| systemd_units/scheduled-reboot.service | Deleted systemd service for scheduled reboots |
| lib/rdk/rebootSTB.sh | Deleted scheduled reboot script |
| lib/rdk/rebootNow.sh | Modified reboot logic with background execution and extended timeout |
| lib/rdk/NM_Dispatcher.sh | Removed dnsmasq restart mitigation |
| etc/device.properties | Added LABSIGNED_ENABLED property (unused) |
| CHANGELOG.md | Updated with version 3.0.5v2 changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #### [3.0.5v2](https://github.com/rdkcentral/sysint/compare/3.0.6...3.0.5v2) | ||
|
|
||
| - RDKEMW-8677:Clean up the mitigation done for dnsmasq restart [`#327`](https://github.com/rdkcentral/sysint/pull/327) | ||
| - RDKEMW-8748: Bring RDKTV-38567 changes to develop and release/8.3.4.0 [`a294dcb`](https://github.com/rdkcentral/sysint/commit/a294dcb6b228d0d181ce67ec91f4628fe27e1dc1) | ||
| - 3.0.5v1 hotfix release [`159602e`](https://github.com/rdkcentral/sysint/commit/159602effeeaf80f45f8bfa03a92e2e7628c1f38) |
There was a problem hiding this comment.
The PR title and description claim this is for "RDKEMW-9437: Secure Unlock of Debug services(overrides) in LabSigned Build type", but the actual changes documented in the CHANGELOG are for completely different issues (RDKEMW-8677, RDKEMW-8748/RDKTV-38567, and RDKEMW-8560). This is a critical discrepancy. Either the PR description is incorrect, or the wrong changes have been included in this PR.
| WAN_INTERFACE=eth0 | ||
| WIFI_INTERFACE=wlan0 | ||
| WIFI_SUPPORT=true | ||
| LABSIGNED_ENABLED=false |
There was a problem hiding this comment.
The LABSIGNED_ENABLED property is added but appears to be unused in the codebase. This property should either be utilized in the code to implement the stated feature (secure unlock of debug services based on build variant and device type), or it should be removed if it's not part of this PR's actual purpose.
| LABSIGNED_ENABLED=false |
| reboot & | ||
| REBOOT_PID=$! | ||
|
|
||
| rebootLog "System still running after reboot command, Reboot Failed..." | ||
| rebootLog "Invoking Systemctl Reboot After First Reboot Attempt Failure" | ||
| sleep 90 | ||
| rebootLog "System still running after reboot command, Reboot Failed for $REBOOT_PID..." | ||
| systemctl reboot | ||
| if [ $? -eq 1 ]; then | ||
| rebootLog "Reboot failed due to systemctl hang or connection timeout, trying force reboot..." | ||
| if [ -f /tmp/systemd_freeze_reboot_on ]; then | ||
| rebootLog "Force Reboot due to systemd freeze detection" | ||
| else | ||
| rebootLog "Force Reboot after systemd reboot failure" | ||
| fi | ||
| reboot -f | ||
| rebootLog "Reboot failed due to systemctl hang or connection timeout" | ||
| fi | ||
| kill $REBOOT_PID 2>/dev/null | ||
| rebootLog "Triggering force Reboot after standard soft reboot failure" | ||
| reboot -f |
There was a problem hiding this comment.
The reboot command is now executed in the background with '&', but the script continues immediately to sleep for 90 seconds. If the reboot succeeds quickly (within 90 seconds), the subsequent commands (systemctl reboot, kill, reboot -f) will attempt to execute on a system that is already shutting down. This could lead to race conditions and unpredictable behavior. Consider checking if the system is still responsive before proceeding with fallback reboot attempts.
|
|
||
| rebootLog "System still running after reboot command, Reboot Failed..." | ||
| rebootLog "Invoking Systemctl Reboot After First Reboot Attempt Failure" | ||
| sleep 90 |
There was a problem hiding this comment.
The sleep duration has been increased from 15 seconds to 90 seconds before declaring the reboot as failed. While this may be intentional to allow more time for graceful shutdown, it significantly delays the fallback reboot mechanism. If the first reboot command genuinely fails, the system will wait 90 seconds before attempting recovery. Consider whether this extended delay is appropriate for all failure scenarios, or if a shorter timeout with better detection logic would be more effective.
| systemctl reboot | ||
| if [ $? -eq 1 ]; then | ||
| rebootLog "Reboot failed due to systemctl hang or connection timeout, trying force reboot..." | ||
| if [ -f /tmp/systemd_freeze_reboot_on ]; then | ||
| rebootLog "Force Reboot due to systemd freeze detection" | ||
| else | ||
| rebootLog "Force Reboot after systemd reboot failure" | ||
| fi | ||
| reboot -f | ||
| rebootLog "Reboot failed due to systemctl hang or connection timeout" | ||
| fi | ||
| kill $REBOOT_PID 2>/dev/null | ||
| rebootLog "Triggering force Reboot after standard soft reboot failure" | ||
| reboot -f |
There was a problem hiding this comment.
The force reboot (reboot -f) is now always executed unconditionally after systemctl reboot, regardless of whether systemctl reboot succeeded or not. The previous logic only attempted force reboot when systemctl returned an error code of 1. This change means that even if systemctl reboot succeeds, the script will still try to kill the background reboot process and execute a force reboot, which could interrupt a successful graceful reboot in progress.
| @@ -472,21 +472,18 @@ rebootLog "End of the sync" | |||
|
|
|||
| rebootLog "Creating $REBOOTNOW_FLAG as the reboot was triggred by RDK software" | |||
There was a problem hiding this comment.
The word 'triggred' is misspelled and should be 'triggered'.
| rebootLog "Creating $REBOOTNOW_FLAG as the reboot was triggred by RDK software" | |
| rebootLog "Creating $REBOOTNOW_FLAG as the reboot was triggered by RDK software" |
|
|
||
| Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). | ||
|
|
||
| #### [3.0.5v2](https://github.com/rdkcentral/sysint/compare/3.0.6...3.0.5v2) |
There was a problem hiding this comment.
The version comparison shows "3.0.5v2" comparing to "3.0.6", which is unusual. Typically, a v2 hotfix would be based on the same version (e.g., 3.0.5 to 3.0.5v2), not comparing to a later version. This suggests the changelog structure may be incorrect or these changes are being backported from version 3.0.6 to create a 3.0.5v2 hotfix. Please verify this is the intended version comparison.
| #### [3.0.5v2](https://github.com/rdkcentral/sysint/compare/3.0.6...3.0.5v2) | |
| #### [3.0.5v2](https://github.com/rdkcentral/sysint/compare/3.0.5...3.0.5v2) |
Reason for change: to enable debug services, only if the build vairant is labSigned and device is test type
Test Procedure: Flash the image and check for enabling secure debug services
Risks: Low