diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2023-05-10 11:04:40 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-13 06:06:29 -0400 |
| commit | 1cb3f6988a8fa07968da6566ec45d74f6414acfe (patch) | |
| tree | 09496509ca2c34dd5dc3f716b8878432867116f7 | |
| parent | 2c8c86f97e9b188807c3bbc2605e578cf28ce82f (diff) | |
| download | meta-security-1cb3f6988a8fa07968da6566ec45d74f6414acfe.tar.gz | |
dm-verity: don't make read-only-rootfs sound like a requirement
Adding to your local.conf right out of the gate:
EXTRA_IMAGE_FEATURES = "read-only-rootfs"
while you are trying to sort out other things can be just another
complication to an already steep learning curve.
For example, I found simply enabling this with systemd caused:
systemd[1]: Failed to fork off sandboxing environment for executing generators: Protocol error
[!!!!!!] Failed to start up manager.
systemd[1]: Freezing execution.
While I'd like to get to the root cause of that, it doesn't change that
things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the
rootfs is still read-only courtesy of dm-verity.
Reword things so as to make it clear it isn't strictly a hard requirement
and hence can be delayed as people work through their implementation.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | docs/dm-verity.txt | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/docs/dm-verity.txt b/docs/dm-verity.txt index ce18395..c2dce73 100644 --- a/docs/dm-verity.txt +++ b/docs/dm-verity.txt | |||
| @@ -53,11 +53,18 @@ conf/local.conf and conf/bblayers.conf from the oe-init-build-env | |||
| 53 | Firstly, you need the meta-security layer to conf/bblayers.conf along with | 53 | Firstly, you need the meta-security layer to conf/bblayers.conf along with |
| 54 | the dependencies it has -- see the top level meta-security README for that. | 54 | the dependencies it has -- see the top level meta-security README for that. |
| 55 | 55 | ||
| 56 | Next, assuming you'll be using dm-verity for validation of your rootfs, | 56 | Note that if you are using dm-verity for your rootfs, then it enforces a |
| 57 | you'll need to enable read-only rootfs support in your local.conf with: | 57 | read-only mount right at the kernel level, so be prepared for issues such |
| 58 | as failed creation of temporary files and similar. | ||
| 59 | |||
| 60 | Yocto does support additional checks and changes via setting: | ||
| 58 | 61 | ||
| 59 | EXTRA_IMAGE_FEATURES = "read-only-rootfs" | 62 | EXTRA_IMAGE_FEATURES = "read-only-rootfs" |
| 60 | 63 | ||
| 64 | ...but since read-only is enforced at the kernel level already, using | ||
| 65 | this feature isn't a hard requirement. It may be best to delay/defer | ||
| 66 | making use of this until after you've established basic booting. | ||
| 67 | |||
| 61 | For more details, see the associated documentation: | 68 | For more details, see the associated documentation: |
| 62 | 69 | ||
| 63 | https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html | 70 | https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html |