mirror of
https://git.yoctoproject.org/meta-security
synced 2026-05-09 05:29:56 +00:00
Paul Gortmaker
521e7b040a
The prior commits create the separate hash so now it is time to update the initramfs framework so that veritysetup, which is responsible for binding the data and hash, is aware of when separate hash is in use, and can react accordingly. The added code follows the existing appended hash code style, but is considerably smaller because it doesn't have the large case statement that supports all possible identification schemes (label, UUID, ...). With the root hash split in two to create the respective partition UUIDs, we know exactly how to identify it, and the UUIDs used. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
94 lines
2.7 KiB
Bash
94 lines
2.7 KiB
Bash
#!/bin/sh
|
|
|
|
dmverity_enabled() {
|
|
return 0
|
|
}
|
|
|
|
dmverity_run() {
|
|
DATA_SIZE="__not_set__"
|
|
DATA_BLOCK_SIZE="__not_set__"
|
|
ROOT_HASH="__not_set__"
|
|
SEPARATE_HASH="__not_set__"
|
|
|
|
. /usr/share/misc/dm-verity.env
|
|
|
|
C=0
|
|
delay=${bootparam_rootdelay:-1}
|
|
timeout=${bootparam_roottimeout:-5}
|
|
|
|
# we know exactly what we are looking for; don't need the wide hunt below
|
|
if [ "${SEPARATE_HASH}" -eq "1" ]; then
|
|
while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do
|
|
if [ $(( $C * $delay )) -gt $timeout ]; then
|
|
fatal "Root device (data) resolution failed"
|
|
exit 1
|
|
fi
|
|
debug "Sleeping for $delay second(s) to wait for root data to settle..."
|
|
sleep $delay
|
|
C=$(( $C + 1 ))
|
|
done
|
|
|
|
veritysetup \
|
|
--data-block-size=${DATA_BLOCK_SIZE} \
|
|
create rootfs \
|
|
/dev/disk/by-partuuid/${ROOT_UUID} \
|
|
/dev/disk/by-partuuid/${RHASH_UUID} \
|
|
${ROOT_HASH}
|
|
|
|
mount \
|
|
-o ro \
|
|
/dev/mapper/rootfs \
|
|
${ROOTFS_DIR} || exit 2
|
|
|
|
return
|
|
fi
|
|
|
|
RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
|
|
while [ ! -b "${RDEV}" ]; do
|
|
if [ $(( $C * $delay )) -gt $timeout ]; then
|
|
fatal "Root device resolution failed"
|
|
exit 1
|
|
fi
|
|
|
|
case "${bootparam_root}" in
|
|
ID=*)
|
|
RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=} 2>/dev/null)"
|
|
;;
|
|
LABEL=*)
|
|
RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=} 2>/dev/null)"
|
|
;;
|
|
PARTLABEL=*)
|
|
RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=} 2>/dev/null)"
|
|
;;
|
|
PARTUUID=*)
|
|
RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
|
|
;;
|
|
PATH=*)
|
|
RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=} 2>/dev/null)"
|
|
;;
|
|
UUID=*)
|
|
RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=} 2>/dev/null)"
|
|
;;
|
|
*)
|
|
RDEV="${bootparam_root}"
|
|
esac
|
|
debug "Sleeping for $delay second(s) to wait root to settle..."
|
|
sleep $delay
|
|
C=$(( $C + 1 ))
|
|
|
|
done
|
|
|
|
veritysetup \
|
|
--data-block-size=${DATA_BLOCK_SIZE} \
|
|
--hash-offset=${DATA_SIZE} \
|
|
create rootfs \
|
|
${RDEV} \
|
|
${RDEV} \
|
|
${ROOT_HASH}
|
|
|
|
mount \
|
|
-o ro \
|
|
/dev/mapper/rootfs \
|
|
${ROOTFS_DIR} || exit 2
|
|
}
|