This set of patches addresses some small issues in dm-verity rootfs
facility, which were observed while making use of dm-verity-img.bbclass
to generate dm-verity rootfs images for real arm-based hardware. For
purposes of establishing this changeset, the default 'qemux86-64'
machine was used as a reference.
During testing/development the following additional settings were
defined in local.conf:
DM_VERITY_IMAGE = "core-image-minimal"
DM_VERITY_IMAGE_TYPE = "ext4"
IMAGE_CLASSES += "dm-verity-img"
INITRAMFS_IMAGE_BUNDLE = "1"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
And the following command line was used to test the changes with qemu:
KERNEL=.../build/tmp/deploy/images/qemux86-64/bzImage-initramfs-qemux86-64.bin \
QB_NET=none \
runqemu \
nographic \
qemuparams="-nic none" \
qemux86-64 \
.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
Update since v1:
Based on the feedback to v1 of the changeset, I was able to observe that
if wic image type is used with this facility, it introduces circular
dependency related to the
do_image_wic[recrdeptask] += "do_deploy"
declaration in meta/classes/image_types_wic.bbclass side, and on the
other hand, related to the
do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
declaration in
meta-security/recipes-core/images/dm-verity-image-initramfs.bb side.
In order to mitigate this situation this version of changeset introduces
a custom staging directory for passing DM_VERITY_IMAGE rootfs specific
verity.env file to the initramfs image. While this may not be the most
optimal solution to the issue of passing staging files from one image
nested in another image, it should nevertheless resolve the issue in a
(hopefully) non-conflicting fashion for the time being, making also
'wic' images usable with the facility.
Furthermore the original dm-verity initramfs /init facility was replaced
to use existing poky-provided initramfs-framework suite complemented
with a dm-verity specific module, and added also some optimizations to
dm-verity-initramfs-image recipe, and a fix to a relevant wks.in file.
In addition to testing this updated changeset against default
'qemux86-64' machine, I also tested against 'beaglebone-yocto' machine
and a BeableBone Black board, for which purpose I added also the
following lines to local.conf:
MACHINE = "beaglebone-yocto"
IMAGE_BOOT_FILES_remove = "zImage"
IMAGE_BOOT_FILES_append = " zImage-initramfs-${MACHINE}.bin;zImage"
WKS_FILES = "${MACHINE}-verity.wks.in"
Since I use poky master branch, I also had to introduce
CONFIG_MMC_SDHCI=y
CONFIG_MMC_SDHCI_PLTFM=y
CONFIG_MMC_SDHCI_OMAP=y
via a kernel config fragment to adapt to included change in kernel
source tree
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?h=v5.8&id=0b4edf111870b83ea77b1d7e16b8ceac29f9f388
which otherwise prevented Linux from detecting neither eMMC or attached
SD card on the BeagleBone Black board.
When booting up the board from SD card which was programmed using
resulting 'core-image-minimal-beaglebone-yocto.wic' file, e.g. the
following lines were observed
Freeing unused kernel memory: 13312K
Run /init as init process
udevd[148]: starting version 3.2.9
udevd[149]: starting eudev-3.2.9
device-mapper: verity: sha256 using implementation "sha256-generic"
EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
INIT: version booting
Starting udev
and after logging in via serial console checked that
root@beaglebone-yocto:~# grep ' / ' /proc/mounts
/dev/mapper/rootfs / ext4 ro,relatime 0 0
Finally, at least one obvious caveat in current changeset is the added
do_image[nostamp] = "1"
flag in dm-verity-image-initramfs.bb which seemed to have the impact of
rendering sstate-cache artifacts for virtual/kernel unusable.
Niko Mauno (12):
dm-verity-img.bbclass: Fix bashisms
dm-verity-img.bbclass: Reorder parse-time check
dm-verity-image-initramfs: Ensure verity hash sync
dm-verity-image-initramfs: Bind at do_image instead
linux-yocto(-dev): Add dm-verity fragment as needed
dm-verity-img.bbclass: Stage verity.env file
initramfs-framework: Add dmverity module
dm-verity-image-initramfs: Use initramfs-framework
dm-verity-initramfs-image: Cosmetic improvements
dm-verity-image-initramfs: Add base-passwd package
dm-verity-image-initramfs: Drop locales from image
beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR
classes/dm-verity-img.bbclass | 22 ++++----
.../images/dm-verity-image-initramfs.bb | 28 ++++++----
.../initrdscripts/initramfs-dm-verity.bb | 13 -----
.../initramfs-dm-verity/init-dm-verity.sh | 46 ----------------
.../initramfs-framework/dmverity | 54 +++++++++++++++++++
.../initramfs-framework_1.0.bbappend | 16 ++++++
recipes-kernel/linux/linux-yocto-dev.bbappend | 1 +
recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
wic/beaglebone-yocto-verity.wks.in | 2 +-
9 files changed, 104 insertions(+), 79 deletions(-)
delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
delete mode 100644
recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
create mode 100644 recipes-core/initrdscripts/initramfs-framework/dmverity
create mode 100644 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
--
2.20.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#50621): https://lists.yoctoproject.org/g/yocto/message/50621
Mute This Topic: https://lists.yoctoproject.org/mt/76759786/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
