diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2023-05-10 11:04:42 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-13 06:06:29 -0400 |
| commit | ddf301c45ce28a1a423cbaaa5a3751709ac937e8 (patch) | |
| tree | 526253832d57f46ca54f2c58f3bfae4d2714a366 | |
| parent | 2fbeebc18cd88806479fa3a5d79557a18465ce4b (diff) | |
| download | meta-security-ddf301c45ce28a1a423cbaaa5a3751709ac937e8.tar.gz | |
dm-verity: add x86-64 systemd based example instructions
We have systemd-bootdisk-dmverity.wks.in as an example template but
no mention of it in docs or config files. Similar to the beaglebone
black insructions added earlier, we do the same for (qemu)x86-64.
This hopefully walks through getting things configured for building
a systemd based dm-verity image and booting it on qemux86-64 --filling
in a lot of blanks and assumptions so that someone relatively new to
the feature can get off the ground more quickly by using qemu as a
stepping stone towards their final physical implementation.
Finally, the full image is deployed and booted on real hardware.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | docs/dm-verity-systemd-x86-64.txt | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/docs/dm-verity-systemd-x86-64.txt b/docs/dm-verity-systemd-x86-64.txt new file mode 100644 index 0000000..a47b02c --- /dev/null +++ b/docs/dm-verity-systemd-x86-64.txt | |||
| @@ -0,0 +1,77 @@ | |||
| 1 | dm-verity and x86-64 and systemd | ||
| 2 | -------------------------------- | ||
| 3 | In this example, we'll target combining qemux86-64 with dm-verity and | ||
| 4 | also systemd - systemd has dm-verity bindings and is more likely to be | ||
| 5 | used on x86. | ||
| 6 | |||
| 7 | While dm-verity in a qemu environment doesn't make practial sense as a | ||
| 8 | deployment - it can be a useful stepping stone for testing and getting to | ||
| 9 | a final physical deployment. | ||
| 10 | |||
| 11 | Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It | ||
| 12 | should be the default if unspecified, but check to be sure. As of this | ||
| 13 | writing (kernel v6.1) the resulting qemux86-64 build can also be booted | ||
| 14 | successfully on physical hardware, but if you don't intend to use qemu, | ||
| 15 | you might instead want to choose "genericx86-64" | ||
| 16 | |||
| 17 | This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it | ||
| 18 | contains a dependency on the meta-intel layer for microcode, so you'll need | ||
| 19 | to fetch and add that layer in addition to the meta-security related layers. | ||
| 20 | |||
| 21 | In addition to the basic dm-verity settings, choose systemd in local.conf: | ||
| 22 | |||
| 23 | DISTRO_FEATURES:append = " security systemd" | ||
| 24 | VIRTUAL-RUNTIME_init_manager = "systemd" | ||
| 25 | EFI_PROVIDER = "systemd-boot" | ||
| 26 | PACKAGECONFIG:append:pn-systemd = " cryptsetup" | ||
| 27 | |||
| 28 | Note the last line - you won't typically see that in on-line instructions | ||
| 29 | for enabling systemd. It is important for dm-verity, since it triggers | ||
| 30 | the build and installation of components like this onto the rootfs: | ||
| 31 | |||
| 32 | /lib/systemd/system-generators/systemd-veritysetup-generator | ||
| 33 | /lib/systemd/systemd-veritysetup | ||
| 34 | |||
| 35 | Now build the components for the wic image: | ||
| 36 | |||
| 37 | bitbake intel-microcode | ||
| 38 | bitbake core-image-minimal | ||
| 39 | |||
| 40 | Assemble the image: | ||
| 41 | |||
| 42 | ------------------------------ | ||
| 43 | build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal | ||
| 44 | INFO: Building wic-tools... | ||
| 45 | |||
| 46 | [...] | ||
| 47 | |||
| 48 | INFO: Creating image(s)... | ||
| 49 | |||
| 50 | INFO: The new image(s) can be found here: | ||
| 51 | ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct | ||
| 52 | |||
| 53 | The following build artifacts were used to create the image(s): | ||
| 54 | BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share | ||
| 55 | KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64 | ||
| 56 | NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native | ||
| 57 | |||
| 58 | INFO: The image(s) were created using OE kickstart file: | ||
| 59 | /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in | ||
| 60 | build-qemu-x86_64$ | ||
| 61 | ------------------------------ | ||
| 62 | |||
| 63 | The "runqemu" script defaults were acceptable for testing with only the | ||
| 64 | verity image needing to be specified, i.e. | ||
| 65 | |||
| 66 | runqemu \ | ||
| 67 | nographic \ | ||
| 68 | qemux86-64 \ | ||
| 69 | tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity | ||
| 70 | |||
| 71 | You will see the above "direct" image file and also similarly named | ||
| 72 | individual partition images. To boot on UEFI enabled physical hardware, | ||
| 73 | you need to simply write the "direct" image file to a USB stick with dd | ||
| 74 | and the partition images can largely be ignored. | ||
| 75 | |||
| 76 | Further information on interacting with the systemd UEFI loader is here: | ||
| 77 | https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ | ||