Message ID | 20230510150442.2427548-3-paul.gortmaker@windriver.com |
---|---|
State | New |
Headers | show |
Series | dm-verity: add instructions for systemd x86-64 | expand |
> -----Original Message----- > From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On > Behalf Of Paul Gortmaker via lists.yoctoproject.org > Sent: den 10 maj 2023 17:05 > To: Armin Kuster <akuster808@gmail.com> > Cc: yocto@lists.yoctoproject.org > Subject: [yocto] [meta-security][PATCH 2/4] dm-verity: don't make read- > only-rootfs sound like a requirement > > From: Paul Gortmaker <paul.gortmaker@windriver.com> > > Adding to your local.conf right out of the gate: > > EXTRA_IMAGE_FEATURES = "read-only-rootfs" > > while you are trying to sort out other things can be just another > complication to an already steep learning curve. > > For example, I found simply enabling this with systemd caused: > > systemd[1]: Failed to fork off sandboxing environment for executing > generators: Protocol error > [!!!!!!] Failed to start up manager. > systemd[1]: Freezing execution. > > While I'd like to get to the root cause of that, it doesn't change that > things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the > rootfs is still read-only courtesy of dm-verity. The error you are seeing above is due to a bug in systemd. It is fixed in version 253.4 (commit 5ed087fa46dc04ee92da12635777b2b622183a5d). //Peter
diff --git a/docs/dm-verity.txt b/docs/dm-verity.txt index ce1839520982..c2dce739790d 100644 --- a/docs/dm-verity.txt +++ b/docs/dm-verity.txt @@ -53,11 +53,18 @@ conf/local.conf and conf/bblayers.conf from the oe-init-build-env Firstly, you need the meta-security layer to conf/bblayers.conf along with the dependencies it has -- see the top level meta-security README for that. -Next, assuming you'll be using dm-verity for validation of your rootfs, -you'll need to enable read-only rootfs support in your local.conf with: +Note that if you are using dm-verity for your rootfs, then it enforces a +read-only mount right at the kernel level, so be prepared for issues such +as failed creation of temporary files and similar. + +Yocto does support additional checks and changes via setting: EXTRA_IMAGE_FEATURES = "read-only-rootfs" +...but since read-only is enforced at the kernel level already, using +this feature isn't a hard requirement. It may be best to delay/defer +making use of this until after you've established basic booting. + For more details, see the associated documentation: https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html