From 71db4f32314a1e77adde34b335ec23ef3df607f0 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 10 Sep 2021 22:10:25 +0200 Subject: [PATCH] doc: document Verity=signed --- mkosi.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/mkosi.md b/mkosi.md index 10b74aa1c..46975ad65 100644 --- a/mkosi.md +++ b/mkosi.md @@ -528,10 +528,24 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0", `Verity=`, `--verity` -: Add an "Verity" integrity partition to the image. If enabled, the - root partition is protected with `dm-verity` against off-line +: Add an "Verity" integrity partition to the image. Takes a boolean or + the special value `signed`, and defaults to disabled. If enabled, + the root partition (or `/usr/` partition, inc ase `UsrOnly=` is + enabled) is protected with `dm-verity` against off-line modification, the verification data is placed in an additional GPT - partition. Implies `ReadOnly=yes`. + partition. Implies `ReadOnly=yes`. If this is enabled the Verity + root hash is written to an output file with `.roothash` or + `.usrhash` suffix. If set to `signed` Verity is also enabled, but + the resulting root hash is then also signed (in PKCS#7 format) with + the signature key configured with `SecureBootKey=` (or in other + words: the SecureBoot key pair is then both used to sign the kernel, + if that's enabled, and the root/`/usr/` file system). This signature + is then stored in an additiona output file with the `.roothash.p7s` + or `.usrhash.p7s` suffix in DER format. It is also written to an + additional partition in the image. The latter allows generating + self-contained signed disk images, implementing the Verity + provisions described in the [Discoverable Partitions + Specification](https://systemd.io/DISCOVERABLE_PARTITIONS). `CompressFs=`, `--compress-fs=`