wt., 14 kwi 2020 o 11:17 Ayoub Zaki <[email protected]> napisał(a): > > Hi, > > On 14.04.20 11:05, Bartosz Golaszewski wrote: > > pon., 13 kwi 2020 o 12:58 Ayoub Zaki <[email protected]> napisał(a): > > basically this class generate a dm-verity hash that needs to be injected > inside the initramfs...it's a bit hacky. > > wouldn't be signing the hash, include the verifiication public key in > initramfs more portable ? > > Sorry, but I don't see how this is a better solution. You then have to > store two things somewhere: the hash and its signature. If the > fitImage is already signed - there's no reason to have a second > signature for the hash: it already comes from a trusted source. > > This would also inflate the size of the initramfs - not only would it > need to include the cryptsetup tools but also additional tools for > signature verification. > > > The hash + signature doesn't need to be stored in initramfs in this case but > appended to the rootfs image. > > yes you would need in this case a signature verification tool inside your > initramfs and the corresponding public key. >
But how is this better? I know this is how Android does dm-verity, but it's not any simpler - I'd argue the actual implementation is more complicated. > It is clearly much better than to poke around with circular dependencies. > No it's not clearly better. Circular dependencies result from bad design and should be fixed. I proposed simple changes that fix them in OE-core. > > From another point the veritysetup is not quite correct: > > veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT > > > If the size of your image is not 1K multiple then you are excluding the last > block! > Good catch! This is only an issue for ext2 but needs to be verified anyway. Bart
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#83910): https://lists.openembedded.org/g/openembedded-devel/message/83910 Mute This Topic: https://lists.openembedded.org/mt/72920041/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
