mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-01-01 13:58:06 +00:00
6f4501734f
Add support to generate a dm-verity image and the parameters required to
assemble the corresponding table for the device-mapper driver. The latter will
be stored in the file ${DEPLOY_DIR_IMAGE}/<IMAGE_LINK_NAME>.verity-params.
Note that in the resulting image the hash tree data is appended to the contents
of the original image without an explicit superblock to keep things simple and
compact.
The above mentioned parameter file can be sourced by a shell to finally create
the desired blockdevice via "dmsetup" (found in meta-oe's recipe
"libdevmapper"), e.g.
. <IMAGE_LINK_NAME>.verity-params
dmsetup create <dm_dev_name> --readonly --table "0 $VERITY_DATA_SECTORS verity \
1 <dev> <hash_dev> \
$VERITY_DATA_BLOCK_SIZE $VERITY_HASH_BLOCK_SIZE \
$VERITY_DATA_BLOCKS $VERITY_DATA_BLOCKS \
$VERITY_HASH_ALGORITHM $VERITY_ROOT_HASH $VERITY_SALT \
1 ignore_zero_blocks"
As the hash tree data is found at the end of the image, <dev> and <hash_dev>
should be the same blockdevice in the command shown above while <dm_dev_name> is
the name of the to be created dm-verity-device.
The root hash is calculated using a salt to make attacks more difficult. Thus,
please grant each image recipe its own salt which could be generated e.g. via
dd if=/dev/random bs=1k count=1 | sha256sum
and assign it to the parameter VERITY_SALT.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||
|---|---|---|
| .. | ||
| breakpad.bbclass | ||
| gitpkgv.bbclass | ||
| gitver.bbclass | ||
| gpe.bbclass | ||
| image_types_sparse.bbclass | ||
| image_types_verity.bbclass | ||
| itstool.bbclass | ||
| machine_kernel_pr.bbclass | ||
| scancode.bbclass | ||
| signing.bbclass | ||
| socorro-syms.bbclass | ||