dm-verity: document board specifics for Beaglebone Black

This is meant to augment the generic dm-verity instructions with the board specifics for this platform. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Paul Gortmaker <paul.gortmaker@windriver.com> 2023-03-10 13:11:17 -0500
committer: Armin Kuster <akuster808@gmail.com> 2023-03-20 16:27:24 -0400
commit: 2b2b112b056e2e01d00e6905b8908bbde0e3a8de (patch)
tree: c1a013840f110ae772558814743918b4c468e344
parent: b6b483902ad8d74f2d2e2081c42fe4cd13d4001f (diff)
download: meta-security-2b2b112b056e2e01d00e6905b8908bbde0e3a8de.tar.gz
1 files changed, 37 insertions, 0 deletions
diff --git a/docs/dm-verity-beaglebone.txt b/docs/dm-verity-beaglebone.txt
new file mode 100644
index 0000000..5f0caa4
--- /dev/null
+++ b/docs/dm-verity-beaglebone.txt
@@ -0,0 +1,37 @@
+dm-verity and beaglebone-black
+------------------------------
+Set/uncomment the MACHINE line for "beaglebone-yocto" if you haven't yet.
+In addition to the basic dm-verity settings, you'll also want in local.conf:
+IMAGE_BOOT_FILES:remove = "zImage"
+IMAGE_BOOT_FILES:append = " zImage-initramfs-${MACHINE}.bin;zImage"
+WKS_FILES = "${MACHINE}-verity.wks.in"
+Read-only issues: The beaglebone BSP by default declares the following:
+   SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0 115200;ttyAMA0"
+   SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
+...which are variables used by sysV init, in order to determine the
+appropriate /etc/inittab entries.  The problem that arises is that by
+default, an on-target runtime check of /proc/consoles is used to finalize
+the /etc/inittab -- and of course that fails a build with read-only-rootfs
+[see the pkg_postinst_ontarget rule in the sysvinit rule for details.]
+If you don't need a serial console, the quick fix is to add in local.conf
+SERIAL_CONSOLES = ""
+If you do need/want a serial console, then probably a local bbappend to
+manually set the /etc/inittab as desired is easiest.
+After running "wic create -e core-image-minimal beaglebone-yocto-verity"
+you should have a "direct" image ready to write to a u-SD card.  Remember
+that the "direct" image contains the bootloader and partition table
+already, so you'll be writing it to a device such as /dev/sdb and not
+just a partition  -- like /dev/sdb1
+Also recall that booting from u-SD requires pressing and holding the S2
+(SYSBOOT) button during power-on in order to divert the boot from the normal
+soldered on storage and to the removable u-SD card.
author	Paul Gortmaker <paul.gortmaker@windriver.com>	2023-03-10 13:11:17 -0500
committer	Armin Kuster <akuster808@gmail.com>	2023-03-20 16:27:24 -0400
commit	2b2b112b056e2e01d00e6905b8908bbde0e3a8de (patch)
tree	c1a013840f110ae772558814743918b4c468e344
parent	b6b483902ad8d74f2d2e2081c42fe4cd13d4001f (diff)
download	meta-security-2b2b112b056e2e01d00e6905b8908bbde0e3a8de.tar.gz

diff --git a/docs/dm-verity-beaglebone.txt b/docs/dm-verity-beaglebone.txt new file mode 100644 index 0000000..5f0caa4 --- /dev/null +++ b/docs/dm-verity-beaglebone.txt
@@ -0,0 +1,37 @@
	1	dm-verity and beaglebone-black
	2	------------------------------
	3	Set/uncomment the MACHINE line for "beaglebone-yocto" if you haven't yet.
	4
	5	In addition to the basic dm-verity settings, you'll also want in local.conf:
	6
	7	IMAGE_BOOT_FILES:remove = "zImage"
	8	IMAGE_BOOT_FILES:append = " zImage-initramfs-${MACHINE}.bin;zImage"
	9	WKS_FILES = "${MACHINE}-verity.wks.in"
	10
	11	Read-only issues: The beaglebone BSP by default declares the following:
	12
	13	SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0 115200;ttyAMA0"
	14	SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
	15
	16	...which are variables used by sysV init, in order to determine the
	17	appropriate /etc/inittab entries. The problem that arises is that by
	18	default, an on-target runtime check of /proc/consoles is used to finalize
	19	the /etc/inittab -- and of course that fails a build with read-only-rootfs
	20	[see the pkg_postinst_ontarget rule in the sysvinit rule for details.]
	21
	22	If you don't need a serial console, the quick fix is to add in local.conf
	23
	24	SERIAL_CONSOLES = ""
	25
	26	If you do need/want a serial console, then probably a local bbappend to
	27	manually set the /etc/inittab as desired is easiest.
	28
	29	After running "wic create -e core-image-minimal beaglebone-yocto-verity"
	30	you should have a "direct" image ready to write to a u-SD card. Remember
	31	that the "direct" image contains the bootloader and partition table
	32	already, so you'll be writing it to a device such as /dev/sdb and not
	33	just a partition -- like /dev/sdb1
	34
	35	Also recall that booting from u-SD requires pressing and holding the S2
	36	(SYSBOOT) button during power-on in order to divert the boot from the normal
	37	soldered on storage and to the removable u-SD card.