diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2023-06-21 10:13:35 -0700 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-06-25 15:05:28 -0400 |
| commit | f1591a1579c44ea8127678e5cd0f89b22ecdc495 (patch) | |
| tree | 101604fdee556497040dd7dcb7cb674def236966 | |
| parent | 521e7b040a6011fd66d22be0c98b14ab40eca28b (diff) | |
| download | meta-security-f1591a1579c44ea8127678e5cd0f89b22ecdc495.tar.gz | |
dm-verity: add sample systemd separate hash example and doc
Create a wks.in that allows an out-of-the-box build of a bootable
USB image using systemd and the hash data as a separate device or
partition.
A focus here was to ensure we used proper GPT names and GPT types,
and the GPT UUIDs that are based on splitting the root hash.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | docs/dm-verity-systemd-hash-x86-64.txt | 43 | ||||
| -rw-r--r-- | wic/systemd-bootdisk-dmverity-hash.wks.in | 18 |
2 files changed, 61 insertions, 0 deletions
diff --git a/docs/dm-verity-systemd-hash-x86-64.txt b/docs/dm-verity-systemd-hash-x86-64.txt new file mode 100644 index 0000000..673b810 --- /dev/null +++ b/docs/dm-verity-systemd-hash-x86-64.txt | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | dm-verity and x86-64 and systemd - separate hash device | ||
| 2 | ------------------------------------------------------- | ||
| 3 | |||
| 4 | Everything said in "dm-verity-systemd-x86-64.txt" applies here. | ||
| 5 | However booting under QEMU is not tested - only on real hardware. | ||
| 6 | So for your MACHINE you need to choose "genericx86-64". | ||
| 7 | |||
| 8 | Also, you'll need to point at the hash specific WKS file: | ||
| 9 | |||
| 10 | WKS_FILES += " systemd-bootdisk-dmverity-hash.wks.in" | ||
| 11 | |||
| 12 | The fundamental difference is to use a separate device/partition for | ||
| 13 | storage of the hash data -- instead of "hiding" it beyond the filesystem | ||
| 14 | in what is essentially a 5-10% oversized partition. This takes any manual | ||
| 15 | math calculations of size/offset out of the picture, and uses the kernel's | ||
| 16 | natural behaviour of compartmentalizing devices to ensure they are separate. | ||
| 17 | |||
| 18 | The example hash.wks file added here essentially adds a hash-only partition | ||
| 19 | directly after the filesystem partition. So the filesystem partition is | ||
| 20 | no longer "oversized" and no offsets are needed/used. | ||
| 21 | |||
| 22 | Since we are now using multiple partitions, we make a better effort to use | ||
| 23 | accepted GPT partition types and UUIDs based on the roothash. This means | ||
| 24 | easier sysadmin level use/debugging based on cfdisk output etc. | ||
| 25 | |||
| 26 | Generating the separate root hash image is driven off enabling this: | ||
| 27 | DM_VERITY_SEPARATE_HASH = "1" | ||
| 28 | |||
| 29 | Two other variables control the GPT UUIDs - set to x86-64 defaults: | ||
| 30 | |||
| 31 | DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709" | ||
| 32 | DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5" | ||
| 33 | |||
| 34 | See: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ | ||
| 35 | |||
| 36 | Finally, the UUIDs (not the "partition types" above) are based off of | ||
| 37 | the root node hash value as per the systemd "autodetect" proposed standard. | ||
| 38 | These will obviously change with every update/rebuild of the root image. | ||
| 39 | |||
| 40 | While not strictly coupled to any functionality at this point in time, it | ||
| 41 | does aid in easier debugging, and puts us in alignment with using systemd | ||
| 42 | inside the initramfs to replace manual veritysetup like configuration we | ||
| 43 | currently do in the initramfs today, should we decide to do so later on. | ||
diff --git a/wic/systemd-bootdisk-dmverity-hash.wks.in b/wic/systemd-bootdisk-dmverity-hash.wks.in new file mode 100644 index 0000000..e400593 --- /dev/null +++ b/wic/systemd-bootdisk-dmverity-hash.wks.in | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | # short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity | ||
| 2 | # A dm-verity variant of the regular wks for IA machines. We need to fetch | ||
| 3 | # the partition images from the IMGDEPLOYDIR as the rootfs source plugin will | ||
| 4 | # not recreate the exact block device corresponding with the hash tree. We must | ||
| 5 | # not alter the label or any other setting on the image. | ||
| 6 | # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file | ||
| 7 | # | ||
| 8 | # This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HASH) | ||
| 9 | |||
| 10 | part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid | ||
| 11 | |||
| 12 | # include the root+hash part with the dynamic hash/UUIDs from the build. | ||
| 13 | include ${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.wks.in | ||
| 14 | |||
| 15 | # add "console=ttyS0,115200" or whatever you need to the --append="..." | ||
| 16 | bootloader --ptable gpt --timeout=5 --append="root=/dev/mapper/rootfs" | ||
| 17 | |||
| 18 | part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid | ||