Andrew Geissler | 1fe918a | 2020-05-15 14:16:47 -0500 | [diff] [blame] | 1 | # SPDX-License-Identifier: MIT |
| 2 | # |
| 3 | # Copyright (C) 2020 BayLibre SAS |
| 4 | # Author: Bartosz Golaszewski <bgolaszewski@baylibre.com> |
| 5 | # |
| 6 | # This bbclass allows creating of dm-verity protected partition images. It |
| 7 | # generates a device image file with dm-verity hash data appended at the end |
| 8 | # plus the corresponding .env file containing additional information needed |
| 9 | # to mount the image such as the root hash in the form of ell variables. To |
| 10 | # assure data integrity, the root hash must be stored in a trusted location |
| 11 | # or cryptographically signed and verified. |
| 12 | # |
| 13 | # Usage: |
| 14 | # DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image |
| 15 | # DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs |
| 16 | # IMAGE_CLASSES += "dm-verity-img" |
| 17 | # |
| 18 | # The resulting image can then be used to implement the device mapper block |
| 19 | # integrity checking on the target device. |
| 20 | |
| 21 | # Process the output from veritysetup and generate the corresponding .env |
| 22 | # file. The output from veritysetup is not very machine-friendly so we need to |
| 23 | # convert it to some better format. Let's drop the first line (doesn't contain |
| 24 | # any useful info) and feed the rest to a script. |
| 25 | process_verity() { |
| 26 | local ENV="$OUTPUT.env" |
| 27 | |
| 28 | # Each line contains a key and a value string delimited by ':'. Read the |
| 29 | # two parts into separate variables and process them separately. For the |
| 30 | # key part: convert the names to upper case and replace spaces with |
| 31 | # underscores to create correct shell variable names. For the value part: |
| 32 | # just trim all white-spaces. |
| 33 | IFS=":" |
| 34 | while read KEY VAL; do |
| 35 | echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV |
| 36 | echo -ne "=" >> $ENV |
| 37 | echo "$VAL" | tr -d " \t" >> $ENV |
| 38 | done |
| 39 | |
| 40 | # Add partition size |
| 41 | echo "DATA_SIZE=$SIZE" >> $ENV |
| 42 | |
| 43 | ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env |
| 44 | } |
| 45 | |
| 46 | verity_setup() { |
| 47 | local TYPE=$1 |
| 48 | local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE |
| 49 | local SIZE=$(stat --printf="%s" $INPUT) |
| 50 | local OUTPUT=$INPUT.verity |
| 51 | |
| 52 | cp -a $INPUT $OUTPUT |
| 53 | |
| 54 | # Let's drop the first line of output (doesn't contain any useful info) |
| 55 | # and feed the rest to another function. |
| 56 | veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity |
| 57 | } |
| 58 | |
| 59 | VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" |
| 60 | IMAGE_TYPES += "${VERITY_TYPES}" |
| 61 | CONVERSIONTYPES += "verity" |
| 62 | CONVERSION_CMD_verity = "verity_setup ${type}" |
| 63 | CONVERSION_DEPENDS_verity = "cryptsetup-native" |
| 64 | |
| 65 | python __anonymous() { |
| 66 | verity_image = d.getVar('DM_VERITY_IMAGE') |
| 67 | verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') |
| 68 | image_fstypes = d.getVar('IMAGE_FSTYPES') |
| 69 | pn = d.getVar('PN') |
| 70 | |
| 71 | if verity_image != pn: |
| 72 | return # This doesn't concern this image |
| 73 | |
| 74 | if not verity_image or not verity_type: |
| 75 | bb.warn('dm-verity-img class inherited but not used') |
| 76 | return |
| 77 | |
| 78 | if len(verity_type.split()) is not 1: |
| 79 | bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') |
| 80 | |
| 81 | d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type) |
| 82 | |
| 83 | # If we're using wic: we'll have to use partition images and not the rootfs |
| 84 | # source plugin so add the appropriate dependency. |
| 85 | if 'wic' in image_fstypes: |
| 86 | dep = ' %s:do_image_%s' % (pn, verity_type) |
| 87 | d.appendVarFlag('do_image_wic', 'depends', dep) |
| 88 | } |