initramfs-framework: Add dmverity module

Add 'initramfs-module-dmverity' as an extension to poky upstream provided initramfs-framework suite via matchingly named bbappend file. Together with pre-existing 'initramfs-module-udev' this module can be used to facilitate dm-verity rootfs mounting from initramfs context that is bundled with Linux kernel. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: niko.mauno@vaisala.com <niko.mauno@vaisala.com> 2020-09-10 16:17:54 +0000
committer: Armin Kuster <akuster808@gmail.com> 2020-09-12 08:55:28 -0700
commit: 489f7c900c365e4b3198cff2f2fd7c38623b77e8 (patch)
tree: e6fccd0c049605473cfa28e6053ce1f26b9ee567
parent: 170945ff9f8835ab7b0045b722c2a480b450ef90 (diff)
download: meta-security-489f7c900c365e4b3198cff2f2fd7c38623b77e8.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity
new file mode 100644
index 0000000..bb07aab
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
+#!/bin/sh
+dmverity_enabled() {
+    return 0
+}
+dmverity_run() {
+    DATA_SIZE="__not_set__"
+    ROOT_HASH="__not_set__"
+    . /usr/share/misc/dm-verity.env
+    case "${bootparam_root}" in
+        ID=*)
+            RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+            ;;
+        LABEL=*)
+            RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+            ;;
+        PARTLABEL=*)
+            RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+            ;;
+        PARTUUID=*)
+            RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+            ;;
+        PATH=*)
+            RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+            ;;
+        UUID=*)
+            RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+            ;;
+        *)
+            RDEV="${bootparam_root}"
+    esac
+    if ! [ -b "${RDEV}" ]; then
+        echo "Root device resolution failed"
+        exit 1
+    fi
+    veritysetup \
+        --data-block-size=1024 \
+        --hash-offset=${DATA_SIZE} \
+        create rootfs \
+        ${RDEV} \
+        ${RDEV} \
+        ${ROOT_HASH}
+    mount \
+        -o ro \
+        /dev/mapper/rootfs \
+        ${ROOTFS_DIR} || exit 2
+}
diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
new file mode 100644
index 0000000..dad9c96
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI_append = "\
+    file://dmverity \
+"
+do_install_append() {
+    # dm-verity
+    install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+PACKAGES_append = " initramfs-module-dmverity"
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
author	niko.mauno@vaisala.com <niko.mauno@vaisala.com>	2020-09-10 16:17:54 +0000
committer	Armin Kuster <akuster808@gmail.com>	2020-09-12 08:55:28 -0700
commit	489f7c900c365e4b3198cff2f2fd7c38623b77e8 (patch)
tree	e6fccd0c049605473cfa28e6053ce1f26b9ee567
parent	170945ff9f8835ab7b0045b722c2a480b450ef90 (diff)
download	meta-security-489f7c900c365e4b3198cff2f2fd7c38623b77e8.tar.gz

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 0000000..bb07aab --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
	1	#!/bin/sh
	2
	3	dmverity_enabled() {
	4	return 0
	5	}
	6
	7	dmverity_run() {
	8	DATA_SIZE="__not_set__"
	9	ROOT_HASH="__not_set__"
	10
	11	. /usr/share/misc/dm-verity.env
	12
	13	case "${bootparam_root}" in
	14	ID=*)
	15	RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
	16	;;
	17	LABEL=*)
	18	RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
	19	;;
	20	PARTLABEL=*)
	21	RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
	22	;;
	23	PARTUUID=*)
	24	RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
	25	;;
	26	PATH=*)
	27	RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
	28	;;
	29	UUID=*)
	30	RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
	31	;;
	32	*)
	33	RDEV="${bootparam_root}"
	34	esac
	35
	36	if ! [ -b "${RDEV}" ]; then
	37	echo "Root device resolution failed"
	38	exit 1
	39	fi
	40
	41	veritysetup \
	42	--data-block-size=1024 \
	43	--hash-offset=${DATA_SIZE} \
	44	create rootfs \
	45	${RDEV} \
	46	${RDEV} \
	47	${ROOT_HASH}
	48
	49	mount \
	50	-o ro \
	51	/dev/mapper/rootfs \
	52	${ROOTFS_DIR} \|\| exit 2
	53	}


diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 0000000..dad9c96 --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
	1	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	2
	3	SRC_URI_append = "\
	4	file://dmverity \
	5	"
	6
	7	do_install_append() {
	8	# dm-verity
	9	install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
	10	}
	11
	12	PACKAGES_append = " initramfs-module-dmverity"
	13
	14	SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
	15	RDEPENDS_initramfs-module-dmverity = "${PN}-base"
	16	FILES_initramfs-module-dmverity = "/init.d/80-dmverity"