Adding dm-verity support for rootfs

This adds support for dm-vertiy on the root filesystem.
Currently only squashfs is supported.

Three new flags are introduced.
 * --dm-verity: Enable basic dm-verity support
 * --dm-verity-fec NB_ROOTS: Enable forward error correction. Optional
 * --dm-verity-sign SCRIPT: Specify signing script for the root hash. Optional

4 files changed, 148 insertions, 1 deletions

diff --git a/debian/control b/debian/control
index b9fb3d139..eafe3bbcd 100644
--- a/debian/control
+++ b/debian/control
@@ -23,6 +23,7 @@ Recommends:
  apt-utils,
  bzip2,
  cpio,
+ cryptsetup,
  file,
  live-boot-doc,
  live-config-doc,
diff --git a/scripts/build/binary b/scripts/build/binary
index 971e28b95..bdf755e3c 100755
--- a/scripts/build/binary
+++ b/scripts/build/binary
@@ -46,6 +46,7 @@ fi
 
 # Building root filesystem
 lb binary_rootfs "${@}"
+lb binary_dm-verity "${@}"
 lb binary_manifest "${@}"
 
 # Prepare images
diff --git a/scripts/build/binary_dm-verity b/scripts/build/binary_dm-verity
new file mode 100755
index 000000000..fb33c7a5f
--- /dev/null
+++ b/scripts/build/binary_dm-verity
@@ -0,0 +1,117 @@
+#!/bin/sh
+
+## live-build(7) - System Build Scripts
+## Copyright (C) 2021-2021 The Debian Live team
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="Add dm-verity hash for rootfs"
+USAGE="${PROGRAM} [--force]"
+
+# Processing arguments and configuration files
+Init_config_data "${@}"
+
+if [ "${LB_DM_VERITY}"  != "true" ]
+then
+    Create_stagefile
+    exit 0
+fi
+
+Echo_message "Begin creating dm-verity hash for rootfs"
+
+if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ]
+then
+    Echo_error "dm-verity support is only implemented for squashfs"
+    exit 1
+fi
+
+
+case "${LB_INITRAMFS}" in
+	live-boot)
+		INITFS="live"
+		;;
+
+	*)
+		INITFS="boot"
+		;;
+esac
+
+ROOT_FS="binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
+HASH_FS="${ROOT_FS}.verity"
+HASH_FILE="${ROOT_FS}.roothash"
+FEC_FILE="${ROOT_FS}.fec"
+FEC_ROOTS_FILE="${FEC_FILE}.roots"
+SIGNATURE_FILE="${HASH_FILE}.p7s"
+Check_package chroot /usr/sbin/veritysetup cryptsetup
+
+# Restoring cache
+Restore_package_cache binary
+
+# Installing depends
+Install_packages
+
+
+# Remove old files if existing
+for file in "${HASH_FS}" "${HASH_FILE}" "${FEC_FILE}"  "${SIGNATURE_FILE}" "${FEC_ROOTS_FILE}"
+do
+    if [ -f ${file} ]
+    then
+        Echo_message "Removing old ${file}"
+        rm -f  "${file}"
+    fi
+done
+
+Echo_message "Create dm-verity hash table"
+
+verity_flags=""
+if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ]
+then
+Echo_message "Enabling FEC support for dm-verity rootfs"
+verity_flags="${verity_flags} --fec-device=${FEC_FILE} --fec-roots=${LB_DM_VERITY_FEC_ROOTS}"
+fi
+
+ROOT_HASH=$(veritysetup ${verity_flags} format ${ROOT_FS} ${HASH_FS} |  awk -F ":" '$1=="Root hash" {print $2}' | tr -d [:space:])
+
+if [ "$?" != "0" ]
+then
+    Echo_error "veritysetup failed"
+    exit 1
+fi
+
+if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ]
+then
+    echo -n "${LB_DM_VERITY_FEC_ROOTS}" > "${FEC_ROOTS_FILE}"
+fi
+
+echo -n "${ROOT_HASH}" > "${HASH_FILE}"
+Echo_message "Creating the hash table was successful"
+
+# Sign root hash if a signing script is provided The script gets called with the
+# hash as the first argument and a output file as the second.
+if [ -n "${LB_DM_VERITY_SIGN}" ]
+then
+    Echo_message "Enabling root hash signing"
+    TMP_SIGN=$(mktemp)
+    Echo_message "Calling sign script ${LB_DM_VERITY_SIGN}"
+    ${LB_DM_VERITY_SIGN} ${ROOT_HASH} ${TMP_SIGN}
+    if [ "$?" != "0" ]
+    then
+        Echo_error "Sign script failed with exit code: $? !"
+        exit 1
+    fi
+    cat "${TMP_SIGN}" > "${SIGNATURE_FILE}"
+    rm "${TMP_SIGN}"
+fi
+
+
+# Creating stage file
+Create_stagefile
\ No newline at end of file
diff --git a/scripts/build/config b/scripts/build/config
index 59fcf1f3f..14cff154b 100755
--- a/scripts/build/config
+++ b/scripts/build/config
@@ -65,6 +65,9 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\
 \t    [-d|--distribution CODENAME]\n\
 \t    [--distribution-binary CODENAME]\n\
 \t    [--distribution-chroot CODENAME]\n\
+\t    [--dm-verity]\n\
+\t    [--dm-verity-fec NB_ROOTS]\n\
+\t    [--dm-verity-sign SIGN_SCRIPT]\n\
 \t    [--dump]\n\
 \t    [--firmware-binary true|false]\n\
 \t    [--firmware-chroot true|false]\n\
@@ -145,7 +148,8 @@ Local_arguments ()
 		config:,debconf-frontend:,debconf-priority:,debian-installer:,
 		debian-installer-distribution:,debian-installer-gui:,
 		debian-installer-preseedfile:,debootstrap-options:,debootstrap-script:,
-		debug,distribution:,distribution-binary:,distribution-chroot:,dump,
+		debug,dm-verity,dm-verity-fec:,dm-verity-sign:,
+		distribution:,distribution-binary:,distribution-chroot:,dump,
 		fdisk:,firmware-binary:,firmware-chroot:,force,
 		grub-splash:,gzip-options:,
 		hdd-label:,hdd-partition-start:,hdd-size:,help,
@@ -492,6 +496,21 @@ Local_arguments ()
 				shift 2
 				;;
 
+			--dm-verity)
+				LB_DM_VERITY="true"
+				shift
+				;;
+
+			--dm-verity-fec)
+				LB_DM_VERITY_FEC_ROOTS="${2}"
+				shift 2
+				;;
+
+			--dm-verity-sign)
+				LB_DM_VERITY_SIGN="${2}"
+				shift 2
+				;;
+
 			--fdisk)
 				Echo_warning "--fdisk is an obsolete option"
 				shift 2
@@ -1214,6 +1233,15 @@ LB_CHECKSUMS="${LB_CHECKSUMS}"
 # Set compression
 LB_COMPRESSION="${LB_COMPRESSION}"
 
+# Support dm-verity on rootfs
+LB_DM_VERITY="${LB_DM_VERITY}"
+
+# Support FEC on dm-verity rootfs
+LB_DM_VERITY_FEC_ROOTS="${LB_DM_VERITY_FEC_ROOTS}"
+
+# Set sign script for roothash for dm-verity rootfs
+LB_DM_VERITY_SIGN="${LB_DM_VERITY_SIGN}"
+
 # Set zsync
 LB_ZSYNC="${LB_ZSYNC}"