Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate veritysetup format command for dm-verity hash generation #74

Merged
merged 2 commits into from
Mar 7, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions bin/initoverlayfs-install
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,9 @@ exec_erofs() {
popd
rm -f "${INITRAMFS_DIR}/initoverlayfs-$kver.img"
mkfs.erofs $erofs_compression "${INITRAMFS_DIR}/initoverlayfs-$kver.img" ${INITRAMFS_DUMP_DIR}
if false; then
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Martin, I believe the if here is not needed as we have the set -ex in the top of the script but I am not sure, could you please double check?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should leave this in for now, it's gonna eventually become an "if ostree" kind of statement.

We don't want to do dm-verity for regular images, it has a performance cost and we don't have a secure boot story for non-ostree images.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh okay, thanks for the clarification.

OSTREE_BIN="/usr/bin/ostree"

if [ -e "$OSTREE_BIN" ]; then
       foobar
fi

Copy link
Collaborator

@ericcurtin ericcurtin Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check sadly won't work you can have /usr/bin/ostree installed but not be booting an ostree os, flatpak on Fedora Workstation is an example of that

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can leave if false in for now just to make progress and not block, I have ideas for the if OSTree check once the rpm-ostree integration is a bit futher along and we can boot an unverified OSTree image with initoverlayfs

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eventually what we can do to somewhat accurately detect if we are building an initoverlayfs for ostree is in roughly this area of the codebase coreos/rpm-ostree#4721 you will see these args get passed in:

    let res = Command::new(dracut_path)
        .args(&[
            "--no-hostonly",
            "--kver",
            kernel_dir,
            "--reproducible",
            "-v",
            "--add",
            "ostree",
            "-f",
        ])

so if --add ostree is getting passed into this script, you know we are an ostree initoverlayfs build. We can do this check in this PR or save that for a later PR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is one of many changes we will need in initoverlayfs-install to accommodate for the rpm-ostree flow...

veritysetup format "${INITRAMFS_DIR}/initoverlayfs-$kver.img" "/etc/initoverlayfs-hash-$kver.img"
fi
}

# Support for ext4 is currently under development.
Expand Down