-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate veritysetup format command for dm-verity hash generation #74
Conversation
Signed-off-by: Martin McConnell <[email protected]>
Signed-off-by: Martin McConnell <[email protected]>
@@ -37,6 +37,9 @@ exec_erofs() { | |||
popd | |||
rm -f "${INITRAMFS_DIR}/initoverlayfs-$kver.img" | |||
mkfs.erofs $erofs_compression "${INITRAMFS_DIR}/initoverlayfs-$kver.img" ${INITRAMFS_DUMP_DIR} | |||
if false; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey Martin, I believe the if here is not needed as we have the set -ex
in the top of the script but I am not sure, could you please double check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should leave this in for now, it's gonna eventually become an "if ostree" kind of statement.
We don't want to do dm-verity for regular images, it has a performance cost and we don't have a secure boot story for non-ostree images.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh okay, thanks for the clarification.
OSTREE_BIN="/usr/bin/ostree"
if [ -e "$OSTREE_BIN" ]; then
foobar
fi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check sadly won't work you can have /usr/bin/ostree installed but not be booting an ostree os, flatpak on Fedora Workstation is an example of that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can leave if false in for now just to make progress and not block, I have ideas for the if OSTree check once the rpm-ostree integration is a bit futher along and we can boot an unverified OSTree image with initoverlayfs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eventually what we can do to somewhat accurately detect if we are building an initoverlayfs for ostree is in roughly this area of the codebase coreos/rpm-ostree#4721 you will see these args get passed in:
let res = Command::new(dracut_path)
.args(&[
"--no-hostonly",
"--kver",
kernel_dir,
"--reproducible",
"-v",
"--add",
"ostree",
"-f",
])
so if --add ostree
is getting passed into this script, you know we are an ostree initoverlayfs build. We can do this check in this PR or save that for a later PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is one of many changes we will need in initoverlayfs-install to accommodate for the rpm-ostree flow...
Hey Martin, nice patch, just small comment. You also might want to squash the patch but it's up to you. |
This is probably good to merge if you take it out of draft @martinmcconnell Just make sure the script works with both "if false" and "if true" (but leave if false) Next step after this PR is to make/teach systemd mount a dm-veritied initoverlayfs during bootup (and we will have to teach our special optimized Automotive init system that's coming too, but systemd is easier to start with). |
Also, include dynamic kernel version dm-verity hash in initramfs.