@@ -8,12 +8,41 @@ dmverity_run() {
DATA_SIZE="__not_set__"
DATA_BLOCK_SIZE="__not_set__"
ROOT_HASH="__not_set__"
+ SEPARATE_HASH="__not_set__"
. /usr/share/misc/dm-verity.env
C=0
delay=${bootparam_rootdelay:-1}
timeout=${bootparam_roottimeout:-5}
+
+ # we know exactly what we are looking for; don't need the wide hunt below
+ if [ "${SEPARATE_HASH}" -eq "1" ]; then
+ while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device (data) resolution failed"
+ exit 1
+ fi
+ debug "Sleeping for $delay second(s) to wait for root data to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+ done
+
+ veritysetup \
+ --data-block-size=${DATA_BLOCK_SIZE} \
+ create rootfs \
+ /dev/disk/by-partuuid/${ROOT_UUID} \
+ /dev/disk/by-partuuid/${RHASH_UUID} \
+ ${ROOT_HASH}
+
+ mount \
+ -o ro \
+ /dev/mapper/rootfs \
+ ${ROOTFS_DIR} || exit 2
+
+ return
+ fi
+
RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
while [ ! -b "${RDEV}" ]; do
if [ $(( $C * $delay )) -gt $timeout ]; then
The prior commits create the separate hash so now it is time to update the initramfs framework so that veritysetup, which is responsible for binding the data and hash, is aware of when separate hash is in use, and can react accordingly. The added code follows the existing appended hash code style, but is considerably smaller because it doesn't have the large case statement that supports all possible identification schemes (label, UUID, ...). With the root hash split in two to create the respective partition UUIDs, we know exactly how to identify it, and the UUIDs used. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> --- .../initramfs-framework-dm/dmverity | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+)