dm-verity: add x86-64 systemd based example instructions

Series dm-verity: add instructions for systemd x86-64 | expand

Paul Gortmaker May 10, 2023, 3:04 p.m.
Paul Gortmaker <paul.gortmaker@windriver.com>

We have systemd-bootdisk-dmverity.wks.in as an example template but
no mention of it in docs or config files.  Similar to the beaglebone
black insructions added earlier, we do the same for (qemu)x86-64.

This hopefully walks through getting things configured for building
a systemd based dm-verity image and booting it on qemux86-64 --filling
in a lot of blanks and assumptions so that someone relatively new to
the feature can get off the ground more quickly by using qemu as a
stepping stone towards their final physical implementation.

Finally, the full image is deployed and booted on real hardware.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
 docs/dm-verity-systemd-x86-64.txt | 77 +++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 docs/dm-verity-systemd-x86-64.txt
+dm-verity and x86-64 and systemd
+In this example, we'll target combining qemux86-64 with dm-verity and
+also systemd - systemd has dm-verity bindings and is more likely to be
+used on x86.
+While dm-verity in a qemu environment doesn't make practial sense as a
+deployment - it can be a useful stepping stone for testing and getting to
+a final physical deployment.
+Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet.  It
+should be the default if unspecified, but check to be sure.  As of this
+writing (kernel v6.1) the resulting qemux86-64 build can also be booted
+successfully on physical hardware, but if you don't intend to use qemu,
+you might instead want to choose "genericx86-64"
+This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it
+contains a dependency on the meta-intel layer for microcode, so you'll need
+to fetch and add that layer in addition to the meta-security related layers.
+In addition to the basic dm-verity settings, choose systemd in local.conf:
+DISTRO_FEATURES:append = " security systemd"
+VIRTUAL-RUNTIME_init_manager = "systemd"
+EFI_PROVIDER = "systemd-boot"
+PACKAGECONFIG:append:pn-systemd = " cryptsetup"
+Note the last line - you won't typically see that in on-line instructions
+for enabling systemd.  It is important for dm-verity, since it triggers
+the build and installation of components like this onto the rootfs:
+   /lib/systemd/system-generators/systemd-veritysetup-generator
+   /lib/systemd/systemd-veritysetup
+Now build the components for the wic image:
+   bitbake intel-microcode
+   bitbake core-image-minimal
+Assemble the image:
+           ------------------------------
+build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal
+INFO: Building wic-tools...
+INFO: Creating image(s)...
+INFO: The new image(s) can be found here:
+  ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct
+The following build artifacts were used to create the image(s):
+  BOOTIMG_DIR:                  /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+  KERNEL_DIR:                   /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64
+  NATIVE_SYSROOT:               /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native
+INFO: The image(s) were created using OE kickstart file:
+  /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in
+           ------------------------------
+The "runqemu" script defaults were acceptable for testing with only the
+verity image needing to be specified, i.e.
+    runqemu \
+    nographic \
+    qemux86-64 \
+    tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
+You will see the above "direct" image file and also similarly named
+individual partition images.  To boot on UEFI enabled physical hardware,
+you need to simply write the "direct" image file to a USB stick with dd
+and the partition images can largely be ignored.
+Further information on interacting with the systemd UEFI loader is here: