On 14.04.20 18:19, Bartosz Golaszewski wrote:
wt., 14 kwi 2020 o 11:17 Ayoub Zaki <[email protected]> napisał(a):
Hi,
On 14.04.20 11:05, Bartosz Golaszewski wrote:
pon., 13 kwi 2020 o 12:58 Ayoub Zaki <[email protected]> napisał(a):
basically this class generate a dm-verity hash that needs to be injected
inside the initramfs...it's a bit hacky.
wouldn't be signing the hash, include the verifiication public key in
initramfs more portable ?
Sorry, but I don't see how this is a better solution. You then have to
store two things somewhere: the hash and its signature. If the
fitImage is already signed - there's no reason to have a second
signature for the hash: it already comes from a trusted source.
This would also inflate the size of the initramfs - not only would it
need to include the cryptsetup tools but also additional tools for
signature verification.
The hash + signature doesn't need to be stored in initramfs in this case but
appended to the rootfs image.
yes you would need in this case a signature verification tool inside your
initramfs and the corresponding public key.
But how is this better? I know this is how Android does dm-verity, but
it's not any simpler - I'd argue the actual implementation is more
complicated.
In case you do OTA Update with your approach you will need to always
update kernel+initramfs and rootfs even nothing has changed in kernel
oder initramfs for example to make sure that the Hash inside the
initramfs is updated!
Another case is if your kernel+initramfs are part of the rootfs how you
will deal with it ? it's chicken/egg problem.
It is clearly much better than to poke around with circular dependencies.
No it's not clearly better. Circular dependencies result from bad
design and should be fixed. I proposed simple changes that fix them in
OE-core.
From another point the veritysetup is not quite correct:
veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT
If the size of your image is not 1K multiple then you are excluding the last
block!
Good catch! This is only an issue for ext2 but needs to be verified anyway.
Bart
Mit freundlichen Grüßen / Kind regards
--
Ayoub Zaki
Embedded Systems Consultant
Vaihinger Straße 2/1
D-71634 Ludwigsburg
Mobile : +4917662901545
Email : [email protected]
Homepage : https://embexus.com
VAT No. : DE313902634
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#83911):
https://lists.openembedded.org/g/openembedded-devel/message/83911
Mute This Topic: https://lists.openembedded.org/mt/72920041/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
