This commit adds a new TARGET_ROOTFS_SQUASHFS_HASHED option that asks
OpenWRT to generate a squashfs image suitable for usage with
dm-verity. The squashfs image is produced, and then passed through
"cryptsetup format" which appends the hash tree to the image.
The output of "cryptsetup format" is passed to a custom script that
parses that output and generates a U-Boot script that defines U-Boot
variables describing the different aspects of the dm-verity
volume. Such values are necessary to be able to build the kernel
command line to mount the dm-verity volume as the root filesystem.
We provide a common Image/mkfs/squashfs-common macro, which gets used
by both the normal SquashFS filesystem generation and the
verity-hashed SquashFS filesystem generation. There is one difference
between the two: the normal SquashFS filesystem is generated with
-nopad, but the one generated for dm-verity is generated without
-no-pad, as it needs to be properly aligned to a block size.
Signed-off-by: Thomas Petazzoni <thomas.petazz...@bootlin.com>
---
config/Config-images.in | 8 +++++
include/image.mk | 17 ++++++++--
scripts/prepare-dm-verity-uboot-script.sh | 41 +++++++++++++++++++++++
tools/Makefile | 1 +
4 files changed, 64 insertions(+), 3 deletions(-)
create mode 100755 scripts/prepare-dm-verity-uboot-script.sh
diff --git a/config/Config-images.in b/config/Config-images.in
index 4ee0273f63..37e7ad6cff 100644
--- a/config/Config-images.in
+++ b/config/Config-images.in
@@ -153,6 +153,14 @@ menu "Target Images"
default 1024 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
default 256
+ config TARGET_ROOTFS_SQUASHFS_HASHED
+ bool "hash with veritysetup"
+ select KERNEL_MD
+ select KERNEL_BLK_DEV_DM
+ select KERNEL_DM_VERITY
+ select KERNEL_DM_INIT
+ depends on TARGET_ROOTFS_SQUASHFS
+
menuconfig TARGET_ROOTFS_UBIFS
bool "ubifs"
default y if USES_UBIFS
diff --git a/include/image.mk b/include/image.mk
index 8592c19b99..e4e4dc456d 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -90,6 +90,7 @@ endif
JFFS2_BLOCKSIZE ?= 64k 128k
fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS) += squashfs
+fs-types-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += squashfs-hashed
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2) += $(addprefix
jffs2-,$(JFFS2_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_JFFS2_NAND) += $(addprefix
jffs2-nand-,$(NAND_BLOCKSIZE))
fs-types-$(CONFIG_TARGET_ROOTFS_EXT4FS) += ext4
@@ -239,11 +240,21 @@ endef
$(eval $(foreach S,$(JFFS2_BLOCKSIZE),$(call Image/mkfs/jffs2/template,$(S))))
$(eval $(foreach S,$(NAND_BLOCKSIZE),$(call
Image/mkfs/jffs2-nand/template,$(S))))
-define Image/mkfs/squashfs
+define Image/mkfs/squashfs-common
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
- -processors 1
+ -processors 1 $(2)
+endef
+
+define Image/mkfs/squashfs
+ $(call Image/mkfs/squashfs-common,$(1),-nopad)
+endef
+
+define Image/mkfs/squashfs-hashed
+ $(call Image/mkfs/squashfs-common,$(1))
+ $(STAGING_DIR_HOST)/bin/veritysetup format --hash-offset=`stat -c "%s"
$@` $@ $@ \
+ | $(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh >
$@-dm-verity-uboot-script.txt
endef
# $(1): board name
diff --git a/scripts/prepare-dm-verity-uboot-script.sh
b/scripts/prepare-dm-verity-uboot-script.sh
new file mode 100755
index 0000000000..846e52b989
--- /dev/null
+++ b/scripts/prepare-dm-verity-uboot-script.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+while read line; do
+ key=$(echo ${line} | cut -f1 -d':')
+ value=$(echo ${line} | cut -f2 -d':')
+
+ case "${key}" in
+ "UUID")
+ UUID=${value}
+ ;;
+ "Data blocks")
+ DATA_BLOCKS=${value}
+ ;;
+ "Data block size")
+ DATA_BLOCK_SIZE=${value}
+ ;;
+ "Hash block size")
+ HASH_BLOCK_SIZE=${value}
+ ;;
+ "Hash algorithm")
+ HASH_ALG=${value}
+ ;;
+ "Salt")
+ SALT=${value}
+ ;;
+ "Root hash")
+ ROOT_HASH=${value}
+ ;;
+ esac
+done
+
+SECTORS=$((${DATA_BLOCKS} * 8))
+
+echo setenv verity_sectors $((${DATA_BLOCKS} * 8))
+echo setenv verity_data_blocks ${DATA_BLOCKS}
+echo setenv verity_hash_start $((${DATA_BLOCKS} + 1))
+echo setenv verity_data_block_sz ${DATA_BLOCK_SIZE}
+echo setenv verity_hash_block_sz ${HASH_BLOCK_SIZE}
+echo setenv verity_hash_alg ${HASH_ALG}
+echo setenv verity_salt ${SALT}
+echo setenv verity_root_hash ${ROOT_HASH}
diff --git a/tools/Makefile b/tools/Makefile
index cf91f04100..b9e1f4d1e4 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -39,6 +39,7 @@ tools-$(BUILD_ISL) += isl
tools-$(CONFIG_USE_SPARSE) += sparse
tools-$(CONFIG_TARGET_apm821xx)$(CONFIG_TARGET_gemini) += genext2fs
tools-$(CONFIG_TARGET_tegra) += cbootimage cbootimage-configs
+tools-$(CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED) += cryptsetup lvm2 libaio popt
libjson-c
# builddir dependencies
$(curdir)/bison/compile := $(curdir)/flex/compile
--
2.23.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
