Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add script to wrap filesystem image in DDI #24

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add script to wrap filesystem image in DDI #24

wants to merge 2 commits into from

Conversation

jepio
Copy link
Member

@jepio jepio commented Sep 6, 2023

with a dm-verity hash-tree and signed root hash.

This is an example for how to do things for sysexts that will be built into flatcar.

@pothos
Copy link
Member

pothos commented Sep 6, 2023

I think we should use systemd-repart^^

@pothos
Copy link
Member

pothos commented Sep 6, 2023

The examples don't cover it because one would also need a third partition with X-verity-sig type and Verity=signature https://www.freedesktop.org/software/systemd/man/repart.d.html#Examples
The key gets passed in https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html#--private-key=

@jepio
Copy link
Member Author

jepio commented Sep 6, 2023

i know you do :)

i'll try that next

@pothos pothos linked an issue Sep 6, 2023 that may be closed by this pull request
@pothos
Copy link
Member

pothos commented Sep 6, 2023

I'm not against having this script available, too

with a dm-verity hash-tree and signed root hash.

Signed-off-by: Jeremi Piotrowski <[email protected]>
This uses systemd-repart for image generation, but requires the unreleased v255
due to bugs and missing features in earlier versions.

Signed-off-by: Jeremi Piotrowski <[email protected]>
@jepio
Copy link
Member Author

jepio commented Sep 28, 2023

@pothos: i've added systemd-repart for verity DDI creation to bake.sh

@jepio jepio marked this pull request as ready for review September 28, 2023 14:21

### Verity

To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A sentence on how these can be loaded would be good.

Suggested change
To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`.
To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. To load the image, add the certificate file to `/etc/verity.d/`.

mksquashfs "${SYSEXTNAME}" "${SYSEXTNAME}".raw -all-root
elif [ "${FORMAT}" = "verity" ]; then
systemd-repart --private-key="${KEY}" --certificate="${CERT}" --root="${SYSEXTNAME}" --no-pager --empty=create --size=auto --definitions=repart.d "${SYSEXTNAME}.raw"
Copy link
Member

@pothos pothos Sep 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes to be running in the script's folder, we need to add a cd or use an absolute path for --definitions=

@pothos
Copy link
Member

pothos commented Sep 28, 2023

@pothos: i've added systemd-repart for verity DDI creation to bake.sh

Thanks!

@pothos
Copy link
Member

pothos commented Nov 3, 2023

From the NEWS entries for 255: * New --make-ddi=confext, --make-ddi=sysext and --make-ddi=portable options have been added to make it easier to generate these types of DDIs, without having to provide repart.d definitions for them.

@mnbro
Copy link

mnbro commented Nov 26, 2024

@jepio @pothos Do you have any news on this? Will it be merged?

@jepio
Copy link
Member Author

jepio commented Nov 26, 2024

@jepio @pothos Do you have any news on this? Will it be merged?

I think we hit a roadblock with sysext signature policies: if we enforce signatures for sysexts then all of them need to be signed, but we didn't want to prevent users from loading their own sysexts. And the signing key needs to be built-into the kernel or provided through UEFI mechanisms, which greatly limits mixing Flatcar provided sysext's with user provided ones.

@mnbro
Copy link

mnbro commented Nov 28, 2024

@jepio @pothos Do you have any news on this? Will it be merged?

I think we hit a roadblock with sysext signature policies: if we enforce signatures for sysexts then all of them need to be signed, but we didn't want to prevent users from loading their own sysexts. And the signing key needs to be built-into the kernel or provided through UEFI mechanisms, which greatly limits mixing Flatcar provided sysext's with user provided ones.

@jepio Thank you for this. So, I think, this PR will be closed as not applicable, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[RFE] Use systemd-repart and dm-verity
3 participants