blob: c9d899c42114a0ba19da94262f8a4f91ea1077a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
#!/bin/sh
## live-build(7) - System Build Scripts
## Copyright (C) 2021-2021 The Debian Live team
##
## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.
set -e
# Including common functions
[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
# Setting static variables
DESCRIPTION="Add dm-verity hash for rootfs"
USAGE="${PROGRAM} [--force]"
# Processing arguments and configuration files
Init_config_data "${@}"
if [ "${LB_DM_VERITY}" != "true" ]
then
Create_stagefile
exit 0
fi
Echo_message "Begin creating dm-verity hash for rootfs"
case ${LB_CHROOT_FILESYSTEM} in
squashfs|ext2|ext3|ext4)
;;
*)
Echo_error "dm-verity support is not implemented for ${LB_CHROOT_FILESYSTEM}!"
exit 1
;;
esac
case "${LB_INITRAMFS}" in
live-boot)
INITFS="live"
;;
*)
INITFS="boot"
;;
esac
ROOT_FS="binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
HASH_FS="${ROOT_FS}.verity"
HASH_FILE="${ROOT_FS}.roothash"
FEC_FILE="${ROOT_FS}.fec"
FEC_ROOTS_FILE="${FEC_FILE}.roots"
SIGNATURE_FILE="${HASH_FILE}.p7s"
Check_package chroot /usr/sbin/veritysetup cryptsetup
# Restoring cache
Restore_package_cache binary
# Installing depends
Install_packages
# Remove old files if existing
for file in "${HASH_FS}" "${HASH_FILE}" "${FEC_FILE}" "${SIGNATURE_FILE}" "${FEC_ROOTS_FILE}"
do
if [ -f ${file} ]
then
Echo_message "Removing old ${file}"
rm -f "${file}"
fi
done
Echo_message "Create dm-verity hash table"
verity_flags=""
if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ]
then
Echo_message "Enabling FEC support for dm-verity rootfs"
verity_flags="${verity_flags} --fec-device=${FEC_FILE} --fec-roots=${LB_DM_VERITY_FEC_ROOTS}"
fi
ROOT_HASH=$(veritysetup ${verity_flags} format ${ROOT_FS} ${HASH_FS} | awk -F ":" '$1=="Root hash" {print $2}' | tr -d [:space:])
if [ "$?" != "0" ]
then
Echo_error "veritysetup failed"
exit 1
fi
if [ -n "${LB_DM_VERITY_FEC_ROOTS}" ]
then
echo -n "${LB_DM_VERITY_FEC_ROOTS}" > "${FEC_ROOTS_FILE}"
fi
echo -n "${ROOT_HASH}" > "${HASH_FILE}"
Echo_message "Creating the hash table was successful"
# Sign root hash if a signing script is provided The script gets called with the
# hash as the first argument and a output file as the second.
if [ -n "${LB_DM_VERITY_SIGN}" ]
then
Echo_message "Enabling root hash signing"
TMP_SIGN=$(mktemp)
Echo_message "Calling sign script ${LB_DM_VERITY_SIGN}"
${LB_DM_VERITY_SIGN} ${ROOT_HASH} ${TMP_SIGN}
if [ "$?" != "0" ]
then
Echo_error "Sign script failed with exit code: $? !"
exit 1
fi
cat "${TMP_SIGN}" > "${SIGNATURE_FILE}"
rm "${TMP_SIGN}"
fi
# Creating stage file
Create_stagefile
|
