Re: overlayfs-etc on top of dm-verity?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
To: Ayoub Zaki <ayoub.zaki@googlemail.com>
Cc: Yocto-mailing-list <yocto@lists.yoctoproject.org>
Subject: Re: overlayfs-etc on top of dm-verity?
Date: Mon, 30 Mar 2026 16:51:33 +0000 (UTC)	[thread overview]
Message-ID: <7870f639-0573-4656-9daf-180ccb3541eb@rootcommit.com> (raw)
In-Reply-To: <CA+-BmJbrTDW9bgT_RN6uEirtGMq4i6euR3JzvnDEhKwPT3DLbQ@mail.gmail.com>

Hi Ayoub,

On 3/27/26 2:26 PM, Ayoub Zaki wrote:
> Hi Michael,
> From a security perspective I would strongly advise against overlaying 
> the entire /etc as it undermines the integrity provided by secure 
> boot. Instead only overlay the specific files that actually need to be 
> modified. In addition, consider enforcing integrity protection on the 
> upper layer and consider alternatively switch to bind mounts for those 
> files.
>
Thanks for the advice and reminder! This definitely makes sense and I'll 
review which /etc files we need to modify, if any. I initially suggested 
this to allow for changing root/user passwords at first boot, but we may 
be able to do without users and passwords after all.

Cheers
Michael.

-- 
Root Commit
Embedded Linux Training and Consulting
https://rootcommit.com

next prev parent reply	other threads:[~2026-03-30 16:52 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-27 13:26 overlayfs-etc on top of dm-verity? Ayoub Zaki
2026-03-30 16:51 ` Michael Opdenacker [this message]
  -- strict thread matches above, loose matches on Subject: below --
2026-03-25 21:20 Michael Opdenacker
2026-03-26  9:56 ` Michael Opdenacker
2026-03-26 17:41   ` Michael Opdenacker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7870f639-0573-4656-9daf-180ccb3541eb@rootcommit.com \
    --to=michael.opdenacker@rootcommit.com \
    --cc=ayoub.zaki@googlemail.com \
    --cc=yocto@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.