From: "Bartosz Golaszewski" <brgl@bgdev.pl>
To: Khem Raj <raj.khem@gmail.com>,
Richard Purdie <richard.purdie@linuxfoundation.org>,
Armin Kuster <akuster808@gmail.com>,
Jerome Neanne <jneanne@baylibre.com>,
Quentin Schulz <quentin.schulz@streamunlimited.com>
Cc: openembedded-devel@lists.openembedded.org,
yocto@lists.yoctoproject.org,
Bartosz Golaszewski <bgolaszewski@baylibre.com>
Subject: [OE-core][PATCH v2 0/2] generic dm-verity support + BBB example
Date: Fri, 10 Apr 2020 14:34:47 +0200 [thread overview]
Message-ID: <20200410123449.9624-1-brgl@bgdev.pl> (raw)
From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
This series attempts to introduce support for dm-verity in meta-security.
It depends on a series[1] I submitted for OE-core that introduces multi-stage
image deployment that's currently pending review (although the general idea
was accepted by Richard). This new way of deploying image artifacts is aimed
at solving a circular dependency problem[2] which turned out to be impossible
to resolve if all artifacts are deployed at once by the do_image_complete task.
The first patch in this series introduces a generic bbclass that allows to
generate and append dm-verity hash data at the end of the partition image.
The second patch adds support for an example verified boot image for Beagle
Bone Black where the root dm-verity hash is stored inside the signed fitImage
in an initramfs which takes care of mouting the protected rootfs.
Patch 2/2 - while made sure to work on BBB - should be generic enough to be
reusable across many platforms.
[1] https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg135694.html
[2] https://www.mail-archive.com/openembedded-core@lists.openembedded.org/msg134825.html
Bartosz Golaszewski (2):
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
classes/dm-verity-img.bbclass | 88 +++++++++++++++++++
.../images/dm-verity-image-initramfs.bb | 26 ++++++
.../initrdscripts/initramfs-dm-verity.bb | 13 +++
.../initramfs-dm-verity/init-dm-verity.sh | 46 ++++++++++
wic/beaglebone-yocto-verity.wks.in | 15 ++++
5 files changed, 188 insertions(+)
create mode 100644 classes/dm-verity-img.bbclass
create mode 100644 recipes-core/images/dm-verity-image-initramfs.bb
create mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
create mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
create mode 100644 wic/beaglebone-yocto-verity.wks.in
--
2.25.0
next reply other threads:[~2020-04-10 12:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-10 12:34 Bartosz Golaszewski [this message]
2020-04-10 12:34 ` [OE-core][PATCH v2 1/2] classes: provide a class for generating dm-verity meta-data images Bartosz Golaszewski
2020-04-10 12:34 ` [OE-core][PATCH v2 2/2] dm-verity: add a working example for BeagleBone Black Bartosz Golaszewski
2020-04-10 12:37 ` [OE-core][PATCH v2 0/2] generic dm-verity support + BBB example Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200410123449.9624-1-brgl@bgdev.pl \
--to=brgl@bgdev.pl \
--cc=akuster808@gmail.com \
--cc=bgolaszewski@baylibre.com \
--cc=jneanne@baylibre.com \
--cc=openembedded-devel@lists.openembedded.org \
--cc=quentin.schulz@streamunlimited.com \
--cc=raj.khem@gmail.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.