| Andrew Geissler | dc9d614 | 2023-05-19 09:38:37 -0500 | [diff] [blame] | 1 | dm-verity and x86-64 and systemd |
| 2 | -------------------------------- |
| 3 | In this example, we'll target combining qemux86-64 with dm-verity and |
| 4 | also systemd - systemd has dm-verity bindings and is more likely to be |
| 5 | used on x86. |
| 6 | |
| 7 | While dm-verity in a qemu environment doesn't make practial sense as a |
| 8 | deployment - it can be a useful stepping stone for testing and getting to |
| 9 | a final physical deployment. |
| 10 | |
| 11 | Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It |
| 12 | should be the default if unspecified, but check to be sure. As of this |
| 13 | writing (kernel v6.1) the resulting qemux86-64 build can also be booted |
| 14 | successfully on physical hardware, but if you don't intend to use qemu, |
| 15 | you might instead want to choose "genericx86-64" |
| 16 | |
| 17 | This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it |
| 18 | contains a dependency on the meta-intel layer for microcode, so you'll need |
| 19 | to fetch and add that layer in addition to the meta-security related layers. |
| 20 | |
| 21 | In addition to the basic dm-verity settings, choose systemd in local.conf: |
| 22 | |
| 23 | DISTRO_FEATURES:append = " security systemd" |
| 24 | VIRTUAL-RUNTIME_init_manager = "systemd" |
| 25 | EFI_PROVIDER = "systemd-boot" |
| 26 | PACKAGECONFIG:append:pn-systemd = " cryptsetup" |
| 27 | |
| 28 | Note the last line - you won't typically see that in on-line instructions |
| 29 | for enabling systemd. It is important for dm-verity, since it triggers |
| 30 | the build and installation of components like this onto the rootfs: |
| 31 | |
| 32 | /lib/systemd/system-generators/systemd-veritysetup-generator |
| 33 | /lib/systemd/systemd-veritysetup |
| 34 | |
| 35 | Now build the components for the wic image: |
| 36 | |
| 37 | bitbake intel-microcode |
| 38 | bitbake core-image-minimal |
| 39 | |
| 40 | Assemble the image: |
| 41 | |
| 42 | ------------------------------ |
| 43 | build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal |
| 44 | INFO: Building wic-tools... |
| 45 | |
| 46 | [...] |
| 47 | |
| 48 | INFO: Creating image(s)... |
| 49 | |
| 50 | INFO: The new image(s) can be found here: |
| 51 | ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct |
| 52 | |
| 53 | The following build artifacts were used to create the image(s): |
| 54 | BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share |
| 55 | KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64 |
| 56 | NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native |
| 57 | |
| 58 | INFO: The image(s) were created using OE kickstart file: |
| 59 | /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in |
| 60 | build-qemu-x86_64$ |
| 61 | ------------------------------ |
| 62 | |
| 63 | The "runqemu" script defaults were acceptable for testing with only the |
| 64 | verity image needing to be specified, i.e. |
| 65 | |
| 66 | runqemu \ |
| 67 | nographic \ |
| 68 | qemux86-64 \ |
| 69 | tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity |
| 70 | |
| 71 | You will see the above "direct" image file and also similarly named |
| 72 | individual partition images. To boot on UEFI enabled physical hardware, |
| 73 | you need to simply write the "direct" image file to a USB stick with dd |
| 74 | and the partition images can largely be ignored. |
| 75 | |
| 76 | Further information on interacting with the systemd UEFI loader is here: |
| 77 | https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ |