mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity
Files
master
meta-security/docs/dm-verity-systemd-hash-x86-64.txt
Paul Gortmaker f1591a1579 dm-verity: add sample systemd separate hash example and doc 
Create a wks.in that allows an out-of-the-box build of a bootable
USB image using systemd and the hash data as a separate device or
partition.

A focus here was to ensure we used proper GPT names and GPT types,
and the GPT UUIDs that are based on splitting the root hash.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-06-25 15:05:28 -04:00

44 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

dm-verity and x86-64 and systemd - separate hash device
-------------------------------------------------------
Everything said in "dm-verity-systemd-x86-64.txt" applies here.
However booting under QEMU is not tested - only on real hardware.
So for your MACHINE you need to choose "genericx86-64".
Also, you'll need to point at the hash specific WKS file:
WKS_FILES += " systemd-bootdisk-dmverity-hash.wks.in"
The fundamental difference is to use a separate device/partition for
storage of the hash data -- instead of "hiding" it beyond the filesystem
in what is essentially a 5-10% oversized partition. This takes any manual
math calculations of size/offset out of the picture, and uses the kernel's
natural behaviour of compartmentalizing devices to ensure they are separate.
The example hash.wks file added here essentially adds a hash-only partition
directly after the filesystem partition. So the filesystem partition is
no longer "oversized" and no offsets are needed/used.
Since we are now using multiple partitions, we make a better effort to use
accepted GPT partition types and UUIDs based on the roothash. This means
easier sysadmin level use/debugging based on cfdisk output etc.
Generating the separate root hash image is driven off enabling this:
DM_VERITY_SEPARATE_HASH = "1"
Two other variables control the GPT UUIDs - set to x86-64 defaults:
DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
See: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
Finally, the UUIDs (not the "partition types" above) are based off of
the root node hash value as per the systemd "autodetect" proposed standard.
These will obviously change with every update/rebuild of the root image.
While not strictly coupled to any functionality at this point in time, it
does aid in easier debugging, and puts us in alignment with using systemd
inside the initramfs to replace manual veritysetup like configuration we
currently do in the initramfs today, should we decide to do so later on.
Reference in New Issue View Git Blame Copy Permalink