diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2023-06-21 10:13:34 -0700 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-06-25 15:05:28 -0400 |
| commit | 521e7b040a6011fd66d22be0c98b14ab40eca28b (patch) | |
| tree | 8f182e96f33839e2a183992df816452903dee59a | |
| parent | 3b88f75323bd399615eb6c0897b13cbb59e35e64 (diff) | |
| download | meta-security-521e7b040a6011fd66d22be0c98b14ab40eca28b.tar.gz | |
dm-verity: hook separate hash into initramfs framework
The prior commits create the separate hash so now it is time to update
the initramfs framework so that veritysetup, which is responsible for
binding the data and hash, is aware of when separate hash is in use,
and can react accordingly.
The added code follows the existing appended hash code style, but is
considerably smaller because it doesn't have the large case statement
that supports all possible identification schemes (label, UUID, ...).
With the root hash split in two to create the respective partition
UUIDs, we know exactly how to identify it, and the UUIDs used.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | recipes-core/initrdscripts/initramfs-framework-dm/dmverity | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/recipes-core/initrdscripts/initramfs-framework-dm/dmverity b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity index 71afc91..1923490 100644 --- a/recipes-core/initrdscripts/initramfs-framework-dm/dmverity +++ b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity | |||
| @@ -8,12 +8,41 @@ dmverity_run() { | |||
| 8 | DATA_SIZE="__not_set__" | 8 | DATA_SIZE="__not_set__" |
| 9 | DATA_BLOCK_SIZE="__not_set__" | 9 | DATA_BLOCK_SIZE="__not_set__" |
| 10 | ROOT_HASH="__not_set__" | 10 | ROOT_HASH="__not_set__" |
| 11 | SEPARATE_HASH="__not_set__" | ||
| 11 | 12 | ||
| 12 | . /usr/share/misc/dm-verity.env | 13 | . /usr/share/misc/dm-verity.env |
| 13 | 14 | ||
| 14 | C=0 | 15 | C=0 |
| 15 | delay=${bootparam_rootdelay:-1} | 16 | delay=${bootparam_rootdelay:-1} |
| 16 | timeout=${bootparam_roottimeout:-5} | 17 | timeout=${bootparam_roottimeout:-5} |
| 18 | |||
| 19 | # we know exactly what we are looking for; don't need the wide hunt below | ||
| 20 | if [ "${SEPARATE_HASH}" -eq "1" ]; then | ||
| 21 | while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do | ||
| 22 | if [ $(( $C * $delay )) -gt $timeout ]; then | ||
| 23 | fatal "Root device (data) resolution failed" | ||
| 24 | exit 1 | ||
| 25 | fi | ||
| 26 | debug "Sleeping for $delay second(s) to wait for root data to settle..." | ||
| 27 | sleep $delay | ||
| 28 | C=$(( $C + 1 )) | ||
| 29 | done | ||
| 30 | |||
| 31 | veritysetup \ | ||
| 32 | --data-block-size=${DATA_BLOCK_SIZE} \ | ||
| 33 | create rootfs \ | ||
| 34 | /dev/disk/by-partuuid/${ROOT_UUID} \ | ||
| 35 | /dev/disk/by-partuuid/${RHASH_UUID} \ | ||
| 36 | ${ROOT_HASH} | ||
| 37 | |||
| 38 | mount \ | ||
| 39 | -o ro \ | ||
| 40 | /dev/mapper/rootfs \ | ||
| 41 | ${ROOTFS_DIR} || exit 2 | ||
| 42 | |||
| 43 | return | ||
| 44 | fi | ||
| 45 | |||
| 17 | RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)" | 46 | RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)" |
| 18 | while [ ! -b "${RDEV}" ]; do | 47 | while [ ! -b "${RDEV}" ]; do |
| 19 | if [ $(( $C * $delay )) -gt $timeout ]; then | 48 | if [ $(( $C * $delay )) -gt $timeout ]; then |