Add script to wrap filesystem image in DDI #24
Conversation
|
I think we should use systemd-repart^^ |
|
The examples don't cover it because one would also need a third partition with |
|
i know you do :) i'll try that next |
|
I'm not against having this script available, too |
with a dm-verity hash-tree and signed root hash. Signed-off-by: Jeremi Piotrowski <[email protected]>
This uses systemd-repart for image generation, but requires the unreleased v255 due to bugs and missing features in earlier versions. Signed-off-by: Jeremi Piotrowski <[email protected]>
|
@pothos: i've added systemd-repart for verity DDI creation to bake.sh |
|
|
||
| ### Verity | ||
|
|
||
| To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. |
There was a problem hiding this comment.
A sentence on how these can be loaded would be good.
| To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. | |
| To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. To load the image, add the certificate file to `/etc/verity.d/`. |
| elif [ "${FORMAT}" = "squashfs" ]; then | ||
| mksquashfs "${SYSEXTNAME}" "${SYSEXTNAME}".raw -all-root | ||
| elif [ "${FORMAT}" = "verity" ]; then | ||
| systemd-repart --private-key="${KEY}" --certificate="${CERT}" --root="${SYSEXTNAME}" --no-pager --empty=create --size=auto --definitions=repart.d "${SYSEXTNAME}.raw" |
There was a problem hiding this comment.
This assumes to be running in the script's folder, we need to add a cd or use an absolute path for --definitions=
Thanks! |
|
From the NEWS entries for 255: |
I think we hit a roadblock with sysext signature policies: if we enforce signatures for sysexts then all of them need to be signed, but we didn't want to prevent users from loading their own sysexts. And the signing key needs to be built-into the kernel or provided through UEFI mechanisms, which greatly limits mixing Flatcar provided sysext's with user provided ones. |
@jepio Thank you for this. So, I think, this PR will be closed as not applicable, right? |
with a dm-verity hash-tree and signed root hash.
This is an example for how to do things for sysexts that will be built into flatcar.