diff options
| -rw-r--r-- | debian/control | 1 | ||||
| -rwxr-xr-x | scripts/build/binary | 1 | ||||
| -rwxr-xr-x | scripts/build/binary_dm-verity | 117 | ||||
| -rwxr-xr-x | scripts/build/config | 30 |
4 files changed, 148 insertions, 1 deletions
diff --git a/debian/control b/debian/control index b9fb3d139..eafe3bbcd 100644 --- a/debian/control +++ b/debian/control @@ -23,6 +23,7 @@ Recommends: apt-utils, bzip2, cpio, + cryptsetup, file, live-boot-doc, live-config-doc, diff --git a/scripts/build/binary b/scripts/build/binary index 971e28b95..bdf755e3c 100755 --- a/scripts/build/binary +++ b/scripts/build/binary @@ -46,6 +46,7 @@ fi # Building root filesystem lb binary_rootfs "${@}" +lb binary_dm-verity "${@}" lb binary_manifest "${@}" # Prepare images diff --git a/scripts/build/binary_dm-verity b/scripts/build/binary_dm-verity new file mode 100755 index 000000000..fb33c7a5f --- /dev/null +++ b/scripts/build/binary_dm-verity @@ -0,0 +1,117 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2021-2021 The Debian Live team +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="Add dm-verity hash for rootfs" +USAGE="${PROGRAM} [--force]" + +# Processing arguments and configuration files +Init_config_data "${@}" + +if [ "${LB_DM_VERITY}" != "true" ] +then + Create_stagefile + exit 0 +fi + +Echo_message "Begin creating dm-verity hash for rootfs" + +if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ] +then + Echo_error "dm-verity support is only implemented for squashfs" + exit 1 +fi + + +case "${LB_INITRAMFS}" in + live-boot) + INITFS="live" + ;; + + *) + INITFS="boot" + ;; +esac + +ROOT_FS="binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" +HASH_FS="${ROOT_FS}.verity" +HASH_FILE="${ROOT_FS}.roothash" +FEC_FILE="${ROOT_FS}.fec" +FEC_ROOTS_FILE="${FEC_FILE}.roots" +SIGNATURE_FILE="${HASH_FILE}.p7s" +Check_package chroot /usr/sbin/veritysetup cryptsetup + +# Restoring cache +Restore_package_cache binary + +# Installing depends +Install_packages + + +# Remove old files if existing +for file in "${HASH_FS}" "${HASH_FILE}" "${FEC_FILE}" "${SIGNATURE_FILE}" "${FEC_ROOTS_FILE}" +do + if [ -f ${file} ] + then + Echo_message "Removing old ${file}" + rm -f "${file}" + fi +done + +Echo_message "Create dm-verity hash table" + +verity_flags="" +if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ] +then +Echo_message "Enabling FEC support for dm-verity rootfs" +verity_flags="${verity_flags} --fec-device=${FEC_FILE} --fec-roots=${LB_DM_VERITY_FEC_ROOTS}" +fi + +ROOT_HASH=$(veritysetup ${verity_flags} format ${ROOT_FS} ${HASH_FS} | awk -F ":" '$1=="Root hash" {print $2}' | tr -d [:space:]) + +if [ "$?" != "0" ] +then + Echo_error "veritysetup failed" + exit 1 +fi + +if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ] +then + echo -n "${LB_DM_VERITY_FEC_ROOTS}" > "${FEC_ROOTS_FILE}" +fi + +echo -n "${ROOT_HASH}" > "${HASH_FILE}" +Echo_message "Creating the hash table was successful" + +# Sign root hash if a signing script is provided The script gets called with the +# hash as the first argument and a output file as the second. +if [ -n "${LB_DM_VERITY_SIGN}" ] +then + Echo_message "Enabling root hash signing" + TMP_SIGN=$(mktemp) + Echo_message "Calling sign script ${LB_DM_VERITY_SIGN}" + ${LB_DM_VERITY_SIGN} ${ROOT_HASH} ${TMP_SIGN} + if [ "$?" != "0" ] + then + Echo_error "Sign script failed with exit code: $? !" + exit 1 + fi + cat "${TMP_SIGN}" > "${SIGNATURE_FILE}" + rm "${TMP_SIGN}" +fi + + +# Creating stage file +Create_stagefile
\ No newline at end of file diff --git a/scripts/build/config b/scripts/build/config index 59fcf1f3f..14cff154b 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -65,6 +65,9 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\ \t [-d|--distribution CODENAME]\n\ \t [--distribution-binary CODENAME]\n\ \t [--distribution-chroot CODENAME]\n\ +\t [--dm-verity]\n\ +\t [--dm-verity-fec NB_ROOTS]\n\ +\t [--dm-verity-sign SIGN_SCRIPT]\n\ \t [--dump]\n\ \t [--firmware-binary true|false]\n\ \t [--firmware-chroot true|false]\n\ @@ -145,7 +148,8 @@ Local_arguments () config:,debconf-frontend:,debconf-priority:,debian-installer:, debian-installer-distribution:,debian-installer-gui:, debian-installer-preseedfile:,debootstrap-options:,debootstrap-script:, - debug,distribution:,distribution-binary:,distribution-chroot:,dump, + debug,dm-verity,dm-verity-fec:,dm-verity-sign:, + distribution:,distribution-binary:,distribution-chroot:,dump, fdisk:,firmware-binary:,firmware-chroot:,force, grub-splash:,gzip-options:, hdd-label:,hdd-partition-start:,hdd-size:,help, @@ -492,6 +496,21 @@ Local_arguments () shift 2 ;; + --dm-verity) + LB_DM_VERITY="true" + shift + ;; + + --dm-verity-fec) + LB_DM_VERITY_FEC_ROOTS="${2}" + shift 2 + ;; + + --dm-verity-sign) + LB_DM_VERITY_SIGN="${2}" + shift 2 + ;; + --fdisk) Echo_warning "--fdisk is an obsolete option" shift 2 @@ -1214,6 +1233,15 @@ LB_CHECKSUMS="${LB_CHECKSUMS}" # Set compression LB_COMPRESSION="${LB_COMPRESSION}" +# Support dm-verity on rootfs +LB_DM_VERITY="${LB_DM_VERITY}" + +# Support FEC on dm-verity rootfs +LB_DM_VERITY_FEC_ROOTS="${LB_DM_VERITY_FEC_ROOTS}" + +# Set sign script for roothash for dm-verity rootfs +LB_DM_VERITY_SIGN="${LB_DM_VERITY_SIGN}" + # Set zsync LB_ZSYNC="${LB_ZSYNC}" |