From 2cc90a6e69399b63610730a11951c5c62271c475 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Thu, 28 Sep 2023 14:05:29 +0200 Subject: [PATCH] bake: Add signed verity format This uses systemd-repart for image generation, but requires the unreleased v255 due to bugs and missing features in earlier versions. Signed-off-by: Jeremi Piotrowski --- README.md | 11 +++++++++++ bake.sh | 29 ++++++++++++++++++++++++----- repart.d/01-root.conf | 7 +++++++ repart.d/02-verity.conf | 7 +++++++ repart.d/03-verity-sig.conf | 4 ++++ 5 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 repart.d/01-root.conf create mode 100644 repart.d/02-verity.conf create mode 100644 repart.d/03-verity-sig.conf diff --git a/README.md b/README.md index 09e41db..c1cd6e4 100644 --- a/README.md +++ b/README.md @@ -177,3 +177,14 @@ In case you have an existing Torcx image you can convert it with the `convert_to ``` Please make also sure that your don't have a `containerd.service` drop in file under `/etc` that uses Torcx paths. + + +### Verity + +To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. + +Here's an example: +``` +openssl req -batch -new -x509 -sha256 -newkey rsa:2048 -nodes -out root_key.crt -keyout root_key.pem -days 3650 +FORMAT=verity KEY=root_key.pem CERT=root_key.crt ./create_kubernetes_sysext.sh v1.27.3 k8s +``` diff --git a/bake.sh b/bake.sh index 8d42126..c05f094 100755 --- a/bake.sh +++ b/bake.sh @@ -4,6 +4,13 @@ set -euo pipefail OS="${OS-flatcar}" FORMAT="${FORMAT:-squashfs}" ARCH="${ARCH-}" +KEY="${KEY-}" +CERT="${CERT-}" + +die() { + echo >&2 "$@" + exit 1 +} # This script is to be called as helper by other scripts but can also be used standalone if [ $# -lt 1 ]; then @@ -19,12 +26,20 @@ elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then exit 1 fi +if [ "${FORMAT}" = "verity" ]; then + [ -z "${KEY}" ] && die "\$KEY required for verity" + [ -z "${CERT}" ] && die "\$CERT required for verity" +fi + SYSEXTNAME="$1" -if [ "${FORMAT}" != "squashfs" ] && [ "${FORMAT}" != "btrfs" ] && [ "${FORMAT}" != "ext4" ] && [ "${FORMAT}" != "ext2" ]; then - echo "Expected FORMAT=squashfs, FORMAT=btrfs, FORMAT=ext4, or FORMAT=ext2, got '${FORMAT}'" >&2 - exit 1 -fi +case ${FORMAT} in + squashfs) ;; + btrfs) ;; + ext4|ext2) ;; + verity) ;; + *) die "Unsupported format: '${FORMAT}'" ;; +esac # Map to valid values for https://www.freedesktop.org/software/systemd/man/os-release.html#ARCHITECTURE= if [ "${ARCH}" = "amd64" ] || [ "${ARCH}" = "x86_64" ]; then @@ -54,7 +69,11 @@ elif [ "${FORMAT}" = "ext4" ] || [ "${FORMAT}" = "ext2" ]; then # Note: We didn't chown to root:root, meaning that the file ownership is left as is mkfs."${FORMAT}" -E root_owner=0:0 -d "${SYSEXTNAME}" "${SYSEXTNAME}".raw resize2fs -M "${SYSEXTNAME}".raw -else +elif [ "${FORMAT}" = "squashfs" ]; then mksquashfs "${SYSEXTNAME}" "${SYSEXTNAME}".raw -all-root +elif [ "${FORMAT}" = "verity" ]; then + systemd-repart --private-key="${KEY}" --certificate="${CERT}" --root="${SYSEXTNAME}" --no-pager --empty=create --size=auto --definitions=repart.d "${SYSEXTNAME}.raw" +else + die "Unsupported format: ${FORMAT}" fi echo "Created ${SYSEXTNAME}.raw" diff --git a/repart.d/01-root.conf b/repart.d/01-root.conf new file mode 100644 index 0000000..890fde6 --- /dev/null +++ b/repart.d/01-root.conf @@ -0,0 +1,7 @@ +[Partition] +Type=root +CopyFiles=/:/ +Format=squashfs +Minimize=best +Verity=data +VerityMatchKey=sysext diff --git a/repart.d/02-verity.conf b/repart.d/02-verity.conf new file mode 100644 index 0000000..fc3ab37 --- /dev/null +++ b/repart.d/02-verity.conf @@ -0,0 +1,7 @@ +[Partition] +Type=root-verity +Verity=hash +VerityMatchKey=sysext +# Only works from v255 +Minimize=best +SizeMinBytes=4K diff --git a/repart.d/03-verity-sig.conf b/repart.d/03-verity-sig.conf new file mode 100644 index 0000000..e18269e --- /dev/null +++ b/repart.d/03-verity-sig.conf @@ -0,0 +1,4 @@ +[Partition] +Type=root-verity-sig +Verity=signature +VerityMatchKey=sysext