From: Bartosz Golaszewski <[email protected]> This series attempts to introduce support for dm-verity in meta-security. It depends on a series[1] I submitted for OE-core that introduces multi-stage image deployment that's currently pending review (although the general idea was accepted by Richard). This new way of deploying image artifacts is aimed at solving a circular dependency problem[2] which turned out to be impossible to resolve if all artifacts are deployed at once by the do_image_complete task.
The first patch in this series introduces a generic bbclass that allows to generate and append dm-verity hash data at the end of the partition image. The second patch adds support for an example verified boot image for Beagle Bone Black where the root dm-verity hash is stored inside the signed fitImage in an initramfs which takes care of mouting the protected rootfs. Patch 2/2 - while made sure to work on BBB - should be generic enough to be reusable across many platforms. [1] https://www.mail-archive.com/[email protected]/msg135694.html [2] https://www.mail-archive.com/[email protected]/msg134825.html Bartosz Golaszewski (2): classes: provide a class for generating dm-verity meta-data images dm-verity: add a working example for BeagleBone Black classes/dm-verity-img.bbclass | 88 +++++++++++++++++++ .../images/dm-verity-image-initramfs.bb | 26 ++++++ .../initrdscripts/initramfs-dm-verity.bb | 13 +++ .../initramfs-dm-verity/init-dm-verity.sh | 46 ++++++++++ wic/beaglebone-yocto-verity.wks.in | 15 ++++ 5 files changed, 188 insertions(+) create mode 100644 classes/dm-verity-img.bbclass create mode 100644 recipes-core/images/dm-verity-image-initramfs.bb create mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb create mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh create mode 100644 wic/beaglebone-yocto-verity.wks.in -- 2.25.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#83850): https://lists.openembedded.org/g/openembedded-devel/message/83850 Mute This Topic: https://lists.openembedded.org/mt/72919860/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
