diff mbox series

[meta-security,2/4] dm-verity: don't make read-only-rootfs sound like a requirement

Message ID 20230510150442.2427548-3-paul.gortmaker@windriver.com
State New
Headers show
Series dm-verity: add instructions for systemd x86-64 | expand

Commit Message

Paul Gortmaker May 10, 2023, 3:04 p.m. UTC 
From: Paul Gortmaker <paul.gortmaker@windriver.com>

Adding to your local.conf right out of the gate:

  EXTRA_IMAGE_FEATURES = "read-only-rootfs"

while you are trying to sort out other things can be just another
complication to an already steep learning curve.

For example, I found simply enabling this with systemd caused:

  systemd[1]: Failed to fork off sandboxing environment for executing generators: Protocol error
  [!!!!!!] Failed to start up manager.
  systemd[1]: Freezing execution.

While I'd like to get to the root cause of that, it doesn't change that
things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the
rootfs is still read-only courtesy of dm-verity.

Reword things so as to make it clear it isn't strictly a hard requirement
and hence can be delayed as people work through their implementation.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
---
 docs/dm-verity.txt | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Comments

Peter Kjellerstedt May 14, 2023, 1:18 p.m. UTC | #1 
> -----Original Message-----
> From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On
> Behalf Of Paul Gortmaker via lists.yoctoproject.org
> Sent: den 10 maj 2023 17:05
> To: Armin Kuster <akuster808@gmail.com>
> Cc: yocto@lists.yoctoproject.org
> Subject: [yocto] [meta-security][PATCH 2/4] dm-verity: don't make read-
> only-rootfs sound like a requirement
> 
> From: Paul Gortmaker <paul.gortmaker@windriver.com>
> 
> Adding to your local.conf right out of the gate:
> 
>   EXTRA_IMAGE_FEATURES = "read-only-rootfs"
> 
> while you are trying to sort out other things can be just another
> complication to an already steep learning curve.
> 
> For example, I found simply enabling this with systemd caused:
> 
>   systemd[1]: Failed to fork off sandboxing environment for executing
> generators: Protocol error
>   [!!!!!!] Failed to start up manager.
>   systemd[1]: Freezing execution.
> 
> While I'd like to get to the root cause of that, it doesn't change that
> things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the
> rootfs is still read-only courtesy of dm-verity.

The error you are seeing above is due to a bug in systemd. It is fixed 
in version 253.4 (commit 5ed087fa46dc04ee92da12635777b2b622183a5d).

//Peter
diff mbox series

Patch

diff --git a/docs/dm-verity.txt b/docs/dm-verity.txt
index ce1839520982..c2dce739790d 100644
--- a/docs/dm-verity.txt
+++ b/docs/dm-verity.txt
@@ -53,11 +53,18 @@  conf/local.conf and conf/bblayers.conf from the oe-init-build-env
 Firstly, you need the meta-security layer to conf/bblayers.conf along with
 the dependencies it has -- see the top level meta-security README for that.
 
-Next, assuming you'll be using dm-verity for validation of your rootfs,
-you'll need to enable read-only rootfs support in your local.conf with:
+Note that if you are using dm-verity for your rootfs, then it enforces a
+read-only mount right at the kernel level, so be prepared for issues such
+as failed creation of temporary files and similar.
+
+Yocto does support additional checks and changes via setting:
 
 EXTRA_IMAGE_FEATURES = "read-only-rootfs"
 
+...but since read-only is enforced at the kernel level already, using
+this feature isn't a hard requirement.  It may be best to delay/defer
+making use of this until after you've established basic booting.
+
 For more details, see the associated documentation:
 
 https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html