Hi,
On 14.04.20 11:05, Bartosz Golaszewski wrote:
pon., 13 kwi 2020 o 12:58 Ayoub Zaki <[email protected]> napisał(a):
basically this class generate a dm-verity hash that needs to be injected
inside the initramfs...it's a bit hacky.
wouldn't be signing the hash, include the verifiication public key in
initramfs more portable ?
Sorry, but I don't see how this is a better solution. You then have to
store two things somewhere: the hash and its signature. If the
fitImage is already signed - there's no reason to have a second
signature for the hash: it already comes from a trusted source.
This would also inflate the size of the initramfs - not only would it
need to include the cryptsetup tools but also additional tools for
signature verification.
The hash + signature doesn't need to be stored in initramfs in this case
but appended to the rootfs image.
yes you would need in this case a signature verification tool inside
your initramfs and the corresponding public key.
It is clearly much better than to poke around with circular dependencies.
From another point the veritysetup is not quite correct:
veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT
$OUTPUT
If the size of your image is not 1K multiple then you are excluding the
last block!
Mit freundlichen Grüßen / Kind regards
--
Ayoub Zaki
Embedded Systems Consultant
Vaihinger Straße 2/1
D-71634 Ludwigsburg
Mobile : +4917662901545
Email : [email protected]
Homepage : https://embexus.com
VAT No. : DE313902634
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#83904):
https://lists.openembedded.org/g/openembedded-devel/message/83904
Mute This Topic: https://lists.openembedded.org/mt/72920041/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
