-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add script to wrap filesystem image in DDI #24
base: main
Are you sure you want to change the base?
Conversation
I think we should use systemd-repart^^ |
The examples don't cover it because one would also need a third partition with |
i know you do :) i'll try that next |
I'm not against having this script available, too |
with a dm-verity hash-tree and signed root hash. Signed-off-by: Jeremi Piotrowski <[email protected]>
This uses systemd-repart for image generation, but requires the unreleased v255 due to bugs and missing features in earlier versions. Signed-off-by: Jeremi Piotrowski <[email protected]>
@pothos: i've added systemd-repart for verity DDI creation to bake.sh |
|
||
### Verity | ||
|
||
To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A sentence on how these can be loaded would be good.
To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. | |
To generate sysext protected by dm-verity with a signed root hash pass `FORMAT=verity` before invoking any of the scripts. This requires `systemd-repart` with a version >= v255. This also requires passing a path to a private key and certificate through `KEY` and `CERT`. To load the image, add the certificate file to `/etc/verity.d/`. |
mksquashfs "${SYSEXTNAME}" "${SYSEXTNAME}".raw -all-root | ||
elif [ "${FORMAT}" = "verity" ]; then | ||
systemd-repart --private-key="${KEY}" --certificate="${CERT}" --root="${SYSEXTNAME}" --no-pager --empty=create --size=auto --definitions=repart.d "${SYSEXTNAME}.raw" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This assumes to be running in the script's folder, we need to add a cd
or use an absolute path for --definitions=
Thanks! |
From the NEWS entries for 255: |
I think we hit a roadblock with sysext signature policies: if we enforce signatures for sysexts then all of them need to be signed, but we didn't want to prevent users from loading their own sysexts. And the signing key needs to be built-into the kernel or provided through UEFI mechanisms, which greatly limits mixing Flatcar provided sysext's with user provided ones. |
@jepio Thank you for this. So, I think, this PR will be closed as not applicable, right? |
with a dm-verity hash-tree and signed root hash.
This is an example for how to do things for sysexts that will be built into flatcar.