Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate veritysetup format command for dm-verity hash generation #74

Merged
merged 2 commits into from
Mar 7, 2024

Conversation

martinmcconnell
Copy link
Collaborator

@martinmcconnell martinmcconnell commented Feb 21, 2024

Also, include dynamic kernel version dm-verity hash in initramfs.

@@ -37,6 +37,9 @@ exec_erofs() {
popd
rm -f "${INITRAMFS_DIR}/initoverlayfs-$kver.img"
mkfs.erofs $erofs_compression "${INITRAMFS_DIR}/initoverlayfs-$kver.img" ${INITRAMFS_DUMP_DIR}
if false; then
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Martin, I believe the if here is not needed as we have the set -ex in the top of the script but I am not sure, could you please double check?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should leave this in for now, it's gonna eventually become an "if ostree" kind of statement.

We don't want to do dm-verity for regular images, it has a performance cost and we don't have a secure boot story for non-ostree images.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh okay, thanks for the clarification.

OSTREE_BIN="/usr/bin/ostree"

if [ -e "$OSTREE_BIN" ]; then
       foobar
fi

Copy link
Collaborator

@ericcurtin ericcurtin Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check sadly won't work you can have /usr/bin/ostree installed but not be booting an ostree os, flatpak on Fedora Workstation is an example of that

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can leave if false in for now just to make progress and not block, I have ideas for the if OSTree check once the rpm-ostree integration is a bit futher along and we can boot an unverified OSTree image with initoverlayfs

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eventually what we can do to somewhat accurately detect if we are building an initoverlayfs for ostree is in roughly this area of the codebase coreos/rpm-ostree#4721 you will see these args get passed in:

    let res = Command::new(dracut_path)
        .args(&[
            "--no-hostonly",
            "--kver",
            kernel_dir,
            "--reproducible",
            "-v",
            "--add",
            "ostree",
            "-f",
        ])

so if --add ostree is getting passed into this script, you know we are an ostree initoverlayfs build. We can do this check in this PR or save that for a later PR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is one of many changes we will need in initoverlayfs-install to accommodate for the rpm-ostree flow...

@dougsland
Copy link
Collaborator

dougsland commented Feb 22, 2024

Hey Martin, nice patch, just small comment. You also might want to squash the patch but it's up to you.
Would be nice to use a title related instead of Vroom 16770 and a short description. After that and tested, move the patch to "ready to review".

@ericcurtin
Copy link
Collaborator

ericcurtin commented Mar 1, 2024

This is probably good to merge if you take it out of draft @martinmcconnell

Just make sure the script works with both "if false" and "if true" (but leave if false)

Next step after this PR is to make/teach systemd mount a dm-veritied initoverlayfs during bootup (and we will have to teach our special optimized Automotive init system that's coming too, but systemd is easier to start with).

@martinmcconnell martinmcconnell marked this pull request as ready for review March 1, 2024 13:10
@ericcurtin ericcurtin changed the title Vroom 16770 Integrate veritysetup format command for dm-verity hash generation Mar 1, 2024
@ericcurtin ericcurtin merged commit 3749f08 into containers:main Mar 7, 2024
5 checks passed
@ericcurtin ericcurtin mentioned this pull request Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants