mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-12 03:10:13 +00:00
Code Issues Projects Releases Wiki Activity
Files
test
meta-security/classes/dm-verity-img.bbclass
niko.mauno@vaisala.com 170945ff9f dm-verity-img.bbclass: Stage verity.env file 
Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).

By doing this we mitigate failures that were thus far associated to this
facility, such as

  install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory

and

  install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-12 08:55:28 -07:00

93 lines
3.5 KiB
Plaintext
Raw Permalink Blame History

# SPDX-License-Identifier: MIT
#
# Copyright (C) 2020 BayLibre SAS
# Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
#
# This bbclass allows creating of dm-verity protected partition images. It
# generates a device image file with dm-verity hash data appended at the end
# plus the corresponding .env file containing additional information needed
# to mount the image such as the root hash in the form of ell variables. To
# assure data integrity, the root hash must be stored in a trusted location
# or cryptographically signed and verified.
#
# Usage:
# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image
# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs
# IMAGE_CLASSES += "dm-verity-img"
#
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
# is stored where it can be installed into associated initramfs rootfs.
STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
install -d ${STAGING_VERITY_DIR}
rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
# two parts into separate variables and process them separately. For the
# key part: convert the names to upper case and replace spaces with
# underscores to create correct shell variable names. For the value part:
# just trim all white-spaces.
IFS=":"
while read KEY VAL; do
printf '%s=%s\n' \
"$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
"$(echo "$VAL" | tr -d ' \t')" >> $ENV
done
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
}
verity_setup() {
local TYPE=$1
local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
cp -a $INPUT $OUTPUT
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
}
VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity"
IMAGE_TYPES += "${VERITY_TYPES}"
CONVERSIONTYPES += "verity"
CONVERSION_CMD_verity = "verity_setup ${type}"
CONVERSION_DEPENDS_verity = "cryptsetup-native"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
if not verity_image or not verity_type:
bb.warn('dm-verity-img class inherited but not used')
return
if verity_image != pn:
return # This doesn't concern this image
if len(verity_type.split()) is not 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.
if 'wic' in image_fstypes:
dep = ' %s:do_image_%s' % (pn, verity_type)
d.appendVarFlag('do_image_wic', 'depends', dep)
}
Reference in New Issue View Git Blame Copy Permalink