mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-07 04:58:47 +00:00
Code Issues Projects Releases Wiki Activity

dm-verity-image-initramfs: Ensure verity hash sync

Browse Source 
In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.

Without this change, executing e.g. the following sequence

  $ bitbake <DM_VERITY_IMAGE>
  $ bitbake -c clean <DM_VERITY_IMAGE>
  $ bitbake <DM_VERITY_IMAGE>

results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like

  Mounting /dev/vda over dm-verity as the root filesystem
  [    8.729974] device-mapper: verity: sha256 using implementation sha256-generic
  [    8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
  Verity device detected corruption after activation.
  [    8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
  ...
  [    9.135707] EXT4-fs (dm-0): unable to read superblock
  [    9.142897] EXT4-fs (dm-0): unable to read superblock
  [    9.145393] EXT4-fs (dm-0): unable to read superblock
  [    9.147905] FAT-fs (dm-0): unable to read boot sector
  mount: /new_root: can't read superblock on /dev/mapper/rootfs.
  BusyBox v1.32.0 () multi-call binary.

  Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
  [    9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
  [    9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
  [    9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
  ...
  [    9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
niko.mauno@vaisala.com
2020-09-10 16:17:50 +00:00
committed by Armin Kuster
parent fd23d52565
commit 4cf81a5847
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
recipes-core/images/dm-verity-image-initramfs.bb
+3
View File
@@ -16,6 +16,9 @@ PACKAGE_INSTALL = " \
# Can we somehow inspect reverse dependencies to avoid these variables?
do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
do_rootfs[nostamp] = "1"
IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
inherit core-image