diff options
author | Bartosz Golaszewski <bgolaszewski@baylibre.com> | 2020-04-10 14:41:35 +0200 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2020-05-15 05:28:21 -0700 |
commit | d6369c9aafc433b08f9bb000142b274738be3fb3 (patch) | |
tree | d62718bfbdf83ad41946f4fca911c358328ddd56 /wic | |
parent | b329e1650daa860c7dfdbd771ddff611452c382b (diff) | |
download | meta-security-d6369c9aafc433b08f9bb000142b274738be3fb3.tar.gz |
dm-verity: add a working example for BeagleBone Black
This adds various bits and pieces to enable generating a working example
of a full chain of trust up to dm-verity-protected rootfs level on Beagle
Bone Black.
The new initramfs is quite generic and should work for other SoCs as well
when using fitImage.
The following config can be used with current master poky,
meta-openembedded & meta-security to generate a BBB image using verified
boot and dm-verity.
UBOOT_SIGN_KEYDIR = "/tmp/test-keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_SIGN_ENABLE = "1"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"
IMAGE_CLASSES += "dm-verity-img"
IMAGE_FSTYPES += "wic.xz ext4"
DM_VERITY_IMAGE = "core-image-full-cmdline"
DM_VERITY_IMAGE_TYPE = "ext4"
KERNEL_CLASSES += "kernel-fitimage"
KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"
IMAGE_INSTALL_remove = " kernel-image-zimage"
IMAGE_BOOT_FILES_remove = " zImage"
IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage"
# Using systemd is not strictly needed but deals nicely with read-only
# filesystem by default.
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
INITRAMFS_FSTYPES = "cpio.gz"
INITRAMFS_IMAGE_BUNDLE = "1"
WKS_FILE = "beaglebone-yocto-verity.wks.in"
KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc"
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'wic')
-rw-r--r-- | wic/beaglebone-yocto-verity.wks.in | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in new file mode 100644 index 0000000..cd1702e --- /dev/null +++ b/wic/beaglebone-yocto-verity.wks.in | |||
@@ -0,0 +1,15 @@ | |||
1 | # SPDX-License-Identifier: MIT | ||
2 | # | ||
3 | # Copyright (C) 2020 BayLibre SAS | ||
4 | # Author: Bartosz Golaszewski <bgolaszewski@baylibre.com> | ||
5 | # | ||
6 | # A dm-verity variant of the regular wks for beaglebone black. We need to fetch | ||
7 | # the partition images from the DEPLOY_DIR_IMAGE as the rootfs source plugin will | ||
8 | # not recreate the exact block device corresponding with the hash tree. We must | ||
9 | # not alter the label or any other setting on the image. | ||
10 | # | ||
11 | # This .wks only works with the dm-verity-img class. | ||
12 | |||
13 | part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid | ||
14 | part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" | ||
15 | bootloader --append="console=ttyS0,115200" | ||