@@ -23,6 +23,5 @@ local_conf_header:
USER_root[flags] = "clear-text-password"
adjust-swupdate: |
ABROOTFS_IMAGE_RECIPE = "cip-core-image-security"
- VERITY_IMAGE_RECIPE = "cip-core-image-security"
security-override: |
OVERRIDES .= ":security"
@@ -2,4 +2,3 @@
# Copyright (c) Siemens AG, 2021-2024
copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
-copy_file library /usr/share/verity-env/verity.env /usr/share/verity-env/verity.env
@@ -32,7 +32,44 @@ esac
. /scripts/functions
. /lib/cryptsetup/functions
-. /usr/share/verity-env/verity.env
+
+load_verity_env_from_cmdline()
+{
+ local verity_opts
+ local key
+ local val
+ local opt
+ verity_opts=$(cat /proc/cmdline | sed -n 's/.*cip.verity_root_options=\([^ ]*\).*/\1/p' | sed 's/,/ /g')
+ for opt in $verity_opts; do
+ key=$(echo $opt | sed 's/=.*//')
+ val=$(echo $opt | sed 's/^[^=]*=//')
+ case "$key" in
+ uuid)
+ UUID="$val"
+ ;;
+ salt)
+ SALT="$val"
+ ;;
+ data-blocks)
+ DATA_BLOCKS="$val"
+ ;;
+ data-block-size)
+ DATA_BLOCK_SIZE="$val"
+ ;;
+ hash-block-size)
+ HASH_BLOCK_SIZE="$val"
+ ;;
+ hash-offset)
+ HASH_OFFSET="$val"
+ ;;
+ hash)
+ ROOT_HASH="$val"
+ ;;
+ *)
+ ;;
+ esac
+ done
+}
find_root_via_image_uuid()
{
@@ -63,6 +100,8 @@ find_root_via_image_uuid()
echo "ROOT=/dev/null" >/conf/param.conf
wait_for_udev 10
+load_verity_env_from_cmdline
+
case "$ROOT" in
PART*)
# Root was given as PARTUUID= or PARTLABEL=.
@@ -25,26 +25,4 @@ DEBIAN_DEPENDS .= ", cryptsetup"
DEBIAN_CONFLICTS = "initramfs-abrootfs-hook"
HOOK_ADD_MODULES = "dm_mod dm_verity"
-HOOK_COPY_EXECS = "veritysetup dmsetup"
-
-VERITY_IMAGE_RECIPE ?= "cip-core-image"
-
-# This is defined in image.bbclass which cannot be used in a package recipe.
-# However, we need to use IMAGE_FULLNAME to pick up any extensions of it.
-IMAGE_FULLNAME ??= "${VERITY_IMAGE_RECIPE}-${DISTRO}-${MACHINE}"
-
-VERITY_ENV_FILE = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.verity.env"
-
-do_install[depends] += "${VERITY_IMAGE_RECIPE}:do_image_verity"
-do_install[cleandirs] += "${D}/usr/share/verity-env"
-
-do_install:append() {
- # Insert the veritysetup commandline into the script
- if [ -f "${VERITY_ENV_FILE}" ]; then
- install -m 0600 "${VERITY_ENV_FILE}" "${D}/usr/share/verity-env/verity.env"
- else
- bberror "Did not find ${VERITY_ENV_FILE}. initramfs will not be build correctly!"
- fi
-}
-
-addtask install after do_transform_template
+HOOK_COPY_EXECS = "veritysetup dmsetup sed"
@@ -4,5 +4,5 @@
part --source efibootguard-efi --size 16M --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcba --uuid d1360f76-b09a-4bcc-b923-8195088cbe02
# EFI Boot Guard environment/config partitions plus Kernel files
-part --source efibootguard-boot --fixed-size 64M --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcbb --uuid f870258b-706f-4a66-8d58-b5a75ce61b8b
-part --source efibootguard-boot --fixed-size 64M --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh" --fsuuid 0x4321dcbc --uuid 6e41f2a7-e3eb-403f-8637-b111e4482ee9
+part --source efibootguard-boot --fixed-size 64M --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh,verity_root=y" --fsuuid 0x4321dcbb --uuid f870258b-706f-4a66-8d58-b5a75ce61b8b
+part --source efibootguard-boot --fixed-size 64M --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh,verity_root=y" --fsuuid 0x4321dcbc --uuid 6e41f2a7-e3eb-403f-8637-b111e4482ee9
Previously the verity env was injected as file into the initrd and then sourced at runtime. As we now have infrastructure in place to add the verity env to the kernel cmdline, we replace the hard-coded values with logic to extract it from the kernel cmdline. By that, we also remove the dependency between the initrmfs build and the verity creation, which reduces the set of dependencies (good for caching), as well as increases the parallism of the build. Once widely supported, the initrd scripts can be completely replaced by the systemd-veritysetup-generator (identical syntax). Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> --- kas/opt/security.yml | 1 - .../initramfs-verity-hook/files/hook | 1 - .../files/local-top-complete.tmpl | 41 ++++++++++++++++++- .../initramfs-verity-hook_0.2.bb | 24 +---------- wic/ebg-signed-sysparts.inc | 4 +- 5 files changed, 43 insertions(+), 28 deletions(-)