dm-verity: add a working example for BeagleBone Black

This adds various bits and pieces to enable generating a working example of a full chain of trust up to dm-verity-protected rootfs level on Beagle Bone Black. The new initramfs is quite generic and should work for other SoCs as well when using fitImage. The following config can be used with current master poky, meta-openembedded & meta-security to generate a BBB image using verified boot and dm-verity. UBOOT_SIGN_KEYDIR = "/tmp/test-keys/" UBOOT_SIGN_KEYNAME = "dev" UBOOT_SIGN_ENABLE = "1" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config" IMAGE_CLASSES += "dm-verity-img" IMAGE_FSTYPES += "wic.xz ext4" DM_VERITY_IMAGE = "core-image-full-cmdline" DM_VERITY_IMAGE_TYPE = "ext4" KERNEL_CLASSES += "kernel-fitimage" KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage" IMAGE_INSTALL_remove = " kernel-image-zimage" IMAGE_BOOT_FILES_remove = " zImage" IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage" # Using systemd is not strictly needed but deals nicely with read-only # filesystem by default. DISTRO_FEATURES_append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" VIRTUAL-RUNTIME_initscripts = "systemd-compat-units" INITRAMFS_IMAGE = "dm-verity-image-initramfs" INITRAMFS_FSTYPES = "cpio.gz" INITRAMFS_IMAGE_BUNDLE = "1" WKS_FILE = "beaglebone-yocto-verity.wks.in" KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc" Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-20 11:29:37 +00:00 · 2020-04-10 14:41:35 +02:00
parent b329e1650d
commit d6369c9aaf
4 changed files with 100 additions and 0 deletions
--- a/recipes-core/initrdscripts/initramfs-dm-verity.bb
+++ b/recipes-core/initrdscripts/initramfs-dm-verity.bb
@@ -0,0 +1,13 @@
+SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = "file://init-dm-verity.sh"
+
+do_install() {
+    install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init
+    install -d ${D}/dev
+    mknod -m 622 ${D}/dev/console c 5 1
+}
+
+FILES_${PN} = "/init /dev/console"
--- a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
+++ b/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+RDEV=""
+ROOT_DIR="/new_root"
+
+mkdir -p /proc
+mkdir -p /sys
+mkdir -p /run
+mkdir -p /tmp
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+mount -t devtmpfs none /dev
+
+udevd --daemon
+udevadm trigger --type=subsystems --action=add
+udevadm trigger --type=devices --action=add
+udevadm settle --timeout=10
+
+for PARAM in $(cat /proc/cmdline); do
+	case $PARAM in
+		root=*)
+			RDEV=${PARAM#root=}
+			;;
+	esac
+done
+
+if ! [ -b $RDEV ]; then
+	echo "Missing root command line argument!"
+	exit 1
+fi
+
+case $RDEV in
+	UUID=*)
+		RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=})
+		;;
+esac
+
+. /usr/share/dm-verity.env
+
+echo "Mounting $RDEV over dm-verity as the root filesystem"
+
+veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH
+mkdir -p $ROOT_DIR
+mount -o ro /dev/mapper/rootfs $ROOT_DIR
+exec switch_root $ROOT_DIR /sbin/init