| Patrick Williams | 520786c | 2023-06-25 16:20:36 -0500 | [diff] [blame] | 1 | dm-verity and x86-64 and systemd - separate hash device |
| 2 | ------------------------------------------------------- |
| 3 | |
| 4 | Everything said in "dm-verity-systemd-x86-64.txt" applies here. |
| 5 | However booting under QEMU is not tested - only on real hardware. |
| 6 | So for your MACHINE you need to choose "genericx86-64". |
| 7 | |
| 8 | Also, you'll need to point at the hash specific WKS file: |
| 9 | |
| 10 | WKS_FILES += " systemd-bootdisk-dmverity-hash.wks.in" |
| 11 | |
| 12 | The fundamental difference is to use a separate device/partition for |
| 13 | storage of the hash data -- instead of "hiding" it beyond the filesystem |
| 14 | in what is essentially a 5-10% oversized partition. This takes any manual |
| 15 | math calculations of size/offset out of the picture, and uses the kernel's |
| 16 | natural behaviour of compartmentalizing devices to ensure they are separate. |
| 17 | |
| 18 | The example hash.wks file added here essentially adds a hash-only partition |
| 19 | directly after the filesystem partition. So the filesystem partition is |
| 20 | no longer "oversized" and no offsets are needed/used. |
| 21 | |
| 22 | Since we are now using multiple partitions, we make a better effort to use |
| 23 | accepted GPT partition types and UUIDs based on the roothash. This means |
| 24 | easier sysadmin level use/debugging based on cfdisk output etc. |
| 25 | |
| 26 | Generating the separate root hash image is driven off enabling this: |
| 27 | DM_VERITY_SEPARATE_HASH = "1" |
| 28 | |
| 29 | Two other variables control the GPT UUIDs - set to x86-64 defaults: |
| 30 | |
| 31 | DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709" |
| 32 | DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5" |
| 33 | |
| 34 | See: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ |
| 35 | |
| 36 | Finally, the UUIDs (not the "partition types" above) are based off of |
| 37 | the root node hash value as per the systemd "autodetect" proposed standard. |
| 38 | These will obviously change with every update/rebuild of the root image. |
| 39 | |
| 40 | While not strictly coupled to any functionality at this point in time, it |
| 41 | does aid in easier debugging, and puts us in alignment with using systemd |
| 42 | inside the initramfs to replace manual veritysetup like configuration we |
| 43 | currently do in the initramfs today, should we decide to do so later on. |