diff options
Diffstat (limited to 'scripts/build/binary_dm-verity')
| -rwxr-xr-x | scripts/build/binary_dm-verity | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/scripts/build/binary_dm-verity b/scripts/build/binary_dm-verity new file mode 100755 index 000000000..fb33c7a5f --- /dev/null +++ b/scripts/build/binary_dm-verity @@ -0,0 +1,117 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2021-2021 The Debian Live team +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="Add dm-verity hash for rootfs" +USAGE="${PROGRAM} [--force]" + +# Processing arguments and configuration files +Init_config_data "${@}" + +if [ "${LB_DM_VERITY}" != "true" ] +then + Create_stagefile + exit 0 +fi + +Echo_message "Begin creating dm-verity hash for rootfs" + +if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ] +then + Echo_error "dm-verity support is only implemented for squashfs" + exit 1 +fi + + +case "${LB_INITRAMFS}" in + live-boot) + INITFS="live" + ;; + + *) + INITFS="boot" + ;; +esac + +ROOT_FS="binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" +HASH_FS="${ROOT_FS}.verity" +HASH_FILE="${ROOT_FS}.roothash" +FEC_FILE="${ROOT_FS}.fec" +FEC_ROOTS_FILE="${FEC_FILE}.roots" +SIGNATURE_FILE="${HASH_FILE}.p7s" +Check_package chroot /usr/sbin/veritysetup cryptsetup + +# Restoring cache +Restore_package_cache binary + +# Installing depends +Install_packages + + +# Remove old files if existing +for file in "${HASH_FS}" "${HASH_FILE}" "${FEC_FILE}" "${SIGNATURE_FILE}" "${FEC_ROOTS_FILE}" +do + if [ -f ${file} ] + then + Echo_message "Removing old ${file}" + rm -f "${file}" + fi +done + +Echo_message "Create dm-verity hash table" + +verity_flags="" +if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ] +then +Echo_message "Enabling FEC support for dm-verity rootfs" +verity_flags="${verity_flags} --fec-device=${FEC_FILE} --fec-roots=${LB_DM_VERITY_FEC_ROOTS}" +fi + +ROOT_HASH=$(veritysetup ${verity_flags} format ${ROOT_FS} ${HASH_FS} | awk -F ":" '$1=="Root hash" {print $2}' | tr -d [:space:]) + +if [ "$?" != "0" ] +then + Echo_error "veritysetup failed" + exit 1 +fi + +if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ] +then + echo -n "${LB_DM_VERITY_FEC_ROOTS}" > "${FEC_ROOTS_FILE}" +fi + +echo -n "${ROOT_HASH}" > "${HASH_FILE}" +Echo_message "Creating the hash table was successful" + +# Sign root hash if a signing script is provided The script gets called with the +# hash as the first argument and a output file as the second. +if [ -n "${LB_DM_VERITY_SIGN}" ] +then + Echo_message "Enabling root hash signing" + TMP_SIGN=$(mktemp) + Echo_message "Calling sign script ${LB_DM_VERITY_SIGN}" + ${LB_DM_VERITY_SIGN} ${ROOT_HASH} ${TMP_SIGN} + if [ "$?" != "0" ] + then + Echo_error "Sign script failed with exit code: $? !" + exit 1 + fi + cat "${TMP_SIGN}" > "${SIGNATURE_FILE}" + rm "${TMP_SIGN}" +fi + + +# Creating stage file +Create_stagefile
\ No newline at end of file |