blob: d8099858cc07e29afbeefe5b38a83eb1bc0bd431 [file] [log] [blame]
# SPDX-License-Identifier: MIT
# Copyright (C) 2020 BayLibre SAS
# Author: Bartosz Golaszewski <>
# This bbclass allows creating of dm-verity protected partition images. It
# generates a device image file with dm-verity hash data appended at the end
# plus the corresponding .env file containing additional information needed
# to mount the image such as the root hash in the form of ell variables. To
# assure data integrity, the root hash must be stored in a trusted location
# or cryptographically signed and verified.
# Usage:
# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image
# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs
# IMAGE_CLASSES += "dm-verity-img"
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
# is stored where it can be installed into associated initramfs rootfs.
STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
# Define the data block size to use in veritysetup.
# Define the hash block size to use in veritysetup.
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
install -d ${STAGING_VERITY_DIR}
rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
# two parts into separate variables and process them separately. For the
# key part: convert the names to upper case and replace spaces with
# underscores to create correct shell variable names. For the value part:
# just trim all white-spaces.
while read KEY VAL; do
printf '%s=%s\n' \
"$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
"$(echo "$VAL" | tr -d ' \t')" >> $ENV
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
verity_setup() {
local TYPE=$1
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
SIZE=$(expr \( $SIZE + $align - 1 \) / $align \* $align)
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
ext2.verity ext3.verity ext4.verity \
btrfs.verity \
erofs.verity erofs-lz4.verity erofs-lz4hc.verity \
squashfs.verity squashfs-xz.verity squashfs-lzo.verity squashfs-lz4.verity squashfs-zst.verity \
CONVERSION_CMD:verity = "verity_setup ${type}"
CONVERSION_DEPENDS_verity = "cryptsetup-native"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
if not verity_image or not verity_type:
bb.warn('dm-verity-img class inherited but not used')
if verity_image != pn:
return # This doesn't concern this image
if len(verity_type.split()) != 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.
if 'wic' in image_fstypes:
dep = ' %s:do_image_%s' % (pn, verity_type.replace("-", "_"))
d.appendVarFlag('do_image_wic', 'depends', dep)