Re: [yocto] [meta-security][PATCH 0/4] dm-verity: add instructions for systemd x86-64

Sat, 13 May 2023 03:09:39 -0700 


On 5/10/23 11:04 AM, [email protected] wrote:

From: Paul Gortmaker <[email protected]>

This second series continues in the same general theme of making it
easier to use dm-verity within the Yocto/OE framework by adding a worked
example that can boot on x86-64 in QEMU and on physical hardware.

A couple small clarifications to exisitng files are also added.

Based on my reading, I believe there are still two things that would be
nice to support if time permits.  They are somewhat intertwined.

Firstly, the dm-verity basically has two places to store the hash data -
at the end of the filesystem data in an "oversized" partition, or in a
completely separate partition/device.  Our current support is hardwired
to the append single partition support.

Secondly, we currently call veritysetup from within the initramfs with
all the parameters (hash size, location etc.) - which was sensible for
a sysV init based system.  However my reading seems to indicate that
recent systemd supports direct enablement of dm-verity device(s) from
either boot arguments or autodetection via GPT UUIDs assigned to
dm-verity (and dm-verity-hash).  Meaning (in theory) we should not
need to be manually calling veritysetup in a systemd initramfs at all.

So we'll see how that goes.  Might lead to another wks.in example?


Merged
thanks

---

Paul Gortmaker (4):
   dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
   dm-verity: don't make read-only-rootfs sound like a requirement
   dm-verity: document the meta-intel dependency in the systemd example
   dm-verity: add x86-64 systemd based example instructions

  docs/dm-verity-systemd-x86-64.txt    | 77 ++++++++++++++++++++++++++++
  docs/dm-verity.txt                   | 13 ++++-
  wic/systemd-bootdisk-dmverity.wks.in |  1 +
  3 files changed, 89 insertions(+), 2 deletions(-)
  create mode 100644 docs/dm-verity-systemd-x86-64.txt




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#60008): https://lists.yoctoproject.org/g/yocto/message/60008
Mute This Topic: https://lists.yoctoproject.org/mt/98808914/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to