pt., 10 kwi 2020 o 14:34 Bartosz Golaszewski <[email protected]> napisaĆ(a): > > From: Bartosz Golaszewski <[email protected]> > > This series attempts to introduce support for dm-verity in meta-security. > It depends on a series[1] I submitted for OE-core that introduces multi-stage > image deployment that's currently pending review (although the general idea > was accepted by Richard). This new way of deploying image artifacts is aimed > at solving a circular dependency problem[2] which turned out to be impossible > to resolve if all artifacts are deployed at once by the do_image_complete > task. > > The first patch in this series introduces a generic bbclass that allows to > generate and append dm-verity hash data at the end of the partition image. > > The second patch adds support for an example verified boot image for Beagle > Bone Black where the root dm-verity hash is stored inside the signed fitImage > in an initramfs which takes care of mouting the protected rootfs. > > Patch 2/2 - while made sure to work on BBB - should be generic enough to be > reusable across many platforms. > > [1] > https://www.mail-archive.com/[email protected]/msg135694.html > [2] > https://www.mail-archive.com/[email protected]/msg134825.html > > Bartosz Golaszewski (2): > classes: provide a class for generating dm-verity meta-data images > dm-verity: add a working example for BeagleBone Black > > classes/dm-verity-img.bbclass | 88 +++++++++++++++++++ > .../images/dm-verity-image-initramfs.bb | 26 ++++++ > .../initrdscripts/initramfs-dm-verity.bb | 13 +++ > .../initramfs-dm-verity/init-dm-verity.sh | 46 ++++++++++ > wic/beaglebone-yocto-verity.wks.in | 15 ++++ > 5 files changed, 188 insertions(+) > create mode 100644 classes/dm-verity-img.bbclass > create mode 100644 recipes-core/images/dm-verity-image-initramfs.bb > create mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb > create mode 100644 > recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh > create mode 100644 wic/beaglebone-yocto-verity.wks.in > > -- > 2.25.0 >
Eek, this was supposed to be tagged [meta-security]. But since I'm posting it as an RFC I won't be resending for now. Bart
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#83853): https://lists.openembedded.org/g/openembedded-devel/message/83853 Mute This Topic: https://lists.openembedded.org/mt/72919860/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
