From patchwork Thu Mar 27 12:18:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Schumacher X-Patchwork-Id: 60069 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F149C36010 for ; Thu, 27 Mar 2025 12:18:39 +0000 (UTC) Received: from FR5P281CU006.outbound.protection.outlook.com (FR5P281CU006.outbound.protection.outlook.com [40.107.149.107]) by mx.groups.io with SMTP id smtpd.web11.48515.1743077912398799481 for ; Thu, 27 Mar 2025 05:18:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@iris-sensing.com header.s=selector1 header.b=PmgKDyiQ; spf=pass (domain: iris-sensing.com, ip: 40.107.149.107, mailfrom: erik.schumacher@iris-sensing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f5X4cmq+XJxfwq78u7GJ7lHqDHRUVQXtx2j1lEAlmo7XKpYeXshsUclswjGLNjtfW3mpb9CFdu9phFiO5bxbRJg5CgIrUwDsTB0UR69jJ77GzbqewTyp4riFhqFy1wdA4S6B3quMRGRsVDlvB/jt1Igi33NLAb8e3CvqSFLL4i4T2sYYigo0AOgvl4h7eqeAkI93eheQt3LU4smkYD5gjSmA3aKz8OG7QNsxbZ4MhVVEhWKTiIHglnLoggTnKHXNO4o9NAtX/W/wZFSksOX344aaLUhE+S4205Mjgl+v4MoB2kisYfnySJvVqAfvl744Q1Hn3G3jqHu3LpIMKeg+bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sfH6LYrZnzz58peiygblbw8KdVFuKoC6pk7B7acMmZs=; b=Hwgm1PUPXX4eTIVAZMENHet5PlGUnx62EbY2kdVwQH2cvJbByxyf4l/ZEq1zThRt1hHcZcL7RLGyMm5K09fKwmKz4MHjXwvwJCkFuRSD9hQkpH76m2dZgZRDDImWoVXWRVrgU6SktSYh8jreoWLNrxA4k++9GNvP9+RZpc+zlIuZtLqLd2l4TyVHqGRFfl/fQ8ukBnaTDnpjV0QvuKgcdszBoyScL4jNHxnSXnJNoNPZ1VnuP/eijmcjSAufsu2vAlmoSkYamSz7RxggxIjsYEeo2NjXRsmjXKVj2HUYMasi8T3c3plyyejEfVzbMGggviVR4TgnW/TLKB4OlDhMLg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iris-sensing.com; dmarc=pass action=none header.from=iris-sensing.com; dkim=pass header.d=iris-sensing.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iris-sensing.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sfH6LYrZnzz58peiygblbw8KdVFuKoC6pk7B7acMmZs=; b=PmgKDyiQfva71KUSu3s5q9CSHkbzSv79jO498r19umN9YrHZ6hDN4l5T6Lx5OWuibBISDyzSvhlBi+Omr4q4H6x/lal/aNoksWdCDZkS0nocdrfcz3YgXFJ452CGQuK/XadRXFrNetnkQN8r9NCRPcEhGTgnLOUN5cwZ/4nlit+dUJMfr+Zbc4OGZnd9lw3rvU5DhNC2AdHRlmIu7SghQRyRShlWp2wmrejoA3aI0fGcY8lcLpkCJ2aHQbpfPhs+9xKy0vOtwofOIOFwPzJN9OpGE2vXavdSWwF/UOmuO/LYzLKpei4HD9QA8qCVavvkD77X46bumfSS5ZOGYYXx0A== Received: from FR0P281MB2809.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:23::8) by BEYP281MB4217.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:ab::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8583.28; Thu, 27 Mar 2025 12:18:28 +0000 Received: from FR0P281MB2809.DEUP281.PROD.OUTLOOK.COM ([fe80::d685:f312:e114:519e]) by FR0P281MB2809.DEUP281.PROD.OUTLOOK.COM ([fe80::d685:f312:e114:519e%3]) with mapi id 15.20.8534.043; Thu, 27 Mar 2025 12:18:28 +0000 From: Erik Schumacher To: "openembedded-devel@lists.openembedded.org" Subject: [meta-oe][PATCH] image_types_verity.bbclass: Optionally create hash data in separate file Thread-Topic: [meta-oe][PATCH] image_types_verity.bbclass: Optionally create hash data in separate file Thread-Index: AQHbnxJYGlWCt+lyME2TauHfcUxmIw== Date: Thu, 27 Mar 2025 12:18:28 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iris-sensing.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: FR0P281MB2809:EE_|BEYP281MB4217:EE_ x-ms-office365-filtering-correlation-id: 2cc30410-6c1d-4e86-522b-08dd6d297b5a x-ms-exchange-atpmessageproperties: SA x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018; x-microsoft-antispam-message-info: =?utf-8?q?6MYdFQpjc9UVJQVinpyHgBp7Wijc1gm?= =?utf-8?q?d2bQifUkVciXrVk0tfFQhUlty4wiI1g5VNxGnyDqcahJaKWFgkIjiPlraeG4WsRC+?= =?utf-8?q?dJBSUDgCbSfzxHNlNylAIn0zd1X/EL4HWKYg9NsFgH4zN2CgKAKQtcBmdoUn4i9AG?= =?utf-8?q?o/UsE9iIqA9vy2/UjdUcqE9zEI2tp6azbq15D9FAwuyJKA6kt6/gzQN76fC8K4eRD?= =?utf-8?q?B19tTrYQOJ6h6UjlrmxoSWZsza3hwHApPzVmA6cHpm2RIYU606j83t+ewrGMBH3Mb?= =?utf-8?q?E2aA9VHlioJpqjIBxYojsYJUzz/TP2F/WgGeJXJeTQ5bcNMBDacGrnBE3wH8CSEKV?= =?utf-8?q?YbuQ2ekEGya+wCdxHCvEiZBZzvecFAqkPgLtTcnSg930iwxmQRsxvSUeEPMRQ8Bt+?= =?utf-8?q?dCSziLBc+uraz7KRGEBkkAJSVdS5ICI/T3qvu633r88DDltG7ac+0N+XWVsYUExv4?= =?utf-8?q?JO/RISNrfOETjAzMu1feyZ17xIeQ1X6rnh3rOFyOAIq7WYM67fToN9RBdTOTVSRTL?= =?utf-8?q?58Fpz9WqIt0uSbEs5NhGT5Q4Xs0jMxKnwpHVTqb0Zaw73T/CORJC1cEIwAPnqw3NA?= =?utf-8?q?Uiz8rxHbe24z9G0fyKxy/C3OwSe0XaCIdAPwGpFbMocETZwxthUD3cjMp6yR9ZjzM?= =?utf-8?q?3SwcrtBRQGArYUKykyo25+0SHs24KP7FjJDBtxVo/lNWH8xffPclEsnRJJMwZ/tzR?= =?utf-8?q?edzVBQhh+S6q6Ep/qW4aF/QVyQSwYcy553/Xi6RJiP/oxKYSZiglR3WgSzHemoXd7?= =?utf-8?q?YdQatvr3lmk0DUW5udYPw+sghzQXvMqawBLUGCJxvgKFxTOULsvj2/FNdh7KUgDM0?= =?utf-8?q?cIhofmoppdn53KgZrrirSXzLxZFdUn8A+W3Q6w0Df1pc2IDKTVwcD8JJYMXXQ17Ce?= =?utf-8?q?l4HXeF50xkUri4MjnSQdvnentGS/Y0lfsD9/Hk81HZ/oz+e2Awa7WlBvOv0Rhli7G?= =?utf-8?q?CzJ+BLd1Ea6rNMA3FlLUf3QRnUe0UQTOSJCJmwKzOKftsuMeodEedFA82FCGuUGBi?= =?utf-8?q?YgJvXyVfbVjkYUKmTDrCow3Lru6Y8mZ73aW/POcpq/Hl/qv3tTFiUGgD0iqIu+4V3?= =?utf-8?q?T8DF3a5J5kPLAFAlA9vuP6FTKwXTbxDRZyx9u4VU+veKli06DPVN1aNDZtYxyYi2v?= =?utf-8?q?px3BB7Lk9PAo+W4dWK/XDIQaxIBRBBleHUqTqFmg3M7db28VKM2lMApfod59nvFEV?= =?utf-8?q?Ix20E8Uh4IEhKUH7EtlCGkosSvNSfBOhRxBuCTEd4zcQfu4jlEqKcgnpULag29/2Z?= =?utf-8?q?g6Xoks5H1bWEJqYqrR8bRgT8dcuG36zadJ8pxZPT3nJDg/BHRKVWcTLkJLmt/4cOY?= =?utf-8?q?AwiAHYlT9ifEEMctSFTVe2I1e0Q/czFCoTE9fN2ZyQhQ7uxA4RLR581fNAXtYLgh4?= =?utf-8?q?Tgt+0RuQkl/9nAOvDm8Isd8+DeJZh4jQQ=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:FR0P281MB2809.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?1ZQ0a9g8/HUQQg94HLG2TMErVAK+?= =?utf-8?q?YBiwH3crn+MSPd1ETTVJzxweOK0Iq1m31J6qs6R5xHBkBYelQiMNEzX5MCQxDjvC4?= =?utf-8?q?TpyY2sGM6G6q2XUjHT3I/mz1dmCeBFVOosT9gFisOLHk04/qQD/B6FdJ1I8HOaShX?= =?utf-8?q?VhrguE5KLUVl9p+9q/QDgKLeXu29Ehhvc2J+CCHakuWbSa7l85YyXLdoNTXGb3PHw?= =?utf-8?q?HWqHzwB7zF1/5Lw0mbG+SOpAv0GUFMRc4bZNPfUTI+/c1XDHce6I+8Bp9I2wM0nTo?= =?utf-8?q?/QWaodNPp/fYvE9qTyy3SOXMhJCj0mMII+kL1tfLtV4n/L0nViImLbf458blfqtvJ?= =?utf-8?q?ufcKLu/nus12sv9d6N3pdQrBu9mrvq/zGIW6P8wScnF9N5yBvIjwszI2nNhnBtcB8?= =?utf-8?q?KPAxRhFNskCh9ZLJSn5ySVgXMWH6UHPvoNeVv0VXoR/rOeH9EeUOxQaeq+G5pNuqZ?= =?utf-8?q?UbWMThGXesNf1DtCflvdBu1q7WTArHjpEHLmYkHIpXfe5bTy4d24+jdi61t4fSwzj?= =?utf-8?q?lp3ELrbVEZfgBde+EdSyDj5wO5rVUygnxShi4N2YUwYbiB3E6dVXEdH8IsShjBGsK?= =?utf-8?q?fSGxODWpAWYO8ozpndG4KS++P9pLWrSuBhabARw6ytXp0IQK+vMfd3k0POw3sL11G?= =?utf-8?q?CGVPHvJrN5H/6rYtJfc1uiatq4/U/kV9mPA3exd1Q61PJMaRVMTcQX/KOv0Aak5sc?= =?utf-8?q?KDwRsK9TfWi82dIfdu3LuxesdXkF6FhWO2H+52+nQYdb26sSajhAxC5tImgvyqLe4?= =?utf-8?q?dQoKR4zSDNGMIyNE4KD8g4dUj1o0T8cnF5yR0JLA7QtTwX/zmzr06OOGZO2XghQfL?= =?utf-8?q?QdWzDRVtgaL+A7+Q8/+5rrNvLj3wlAH5eDpUgOx8UlWPJShmCGVLQdQa3xUQioBPf?= =?utf-8?q?EBBRO3NlZWsIQw4dbB0ZQmRVvWszchLnT/aALT391X0xjzrb4RK4zkccrwxc4i/uA?= =?utf-8?q?KbSf3YGoFiCWNHuZDkko9YypNbUEK3eX1KGR5ojVB5aH+OuLSUFHHYdAECsYO1b62?= =?utf-8?q?uiX8Bi9NLjYHTk7ThhHch3a/3hEG1sE1++5IZ7joLoSCGGCgoj0BeuuOVu1DEJJVD?= =?utf-8?q?lKW/jTU+7GWTiiAUrrBw2XIP/VwSiw7ZH35dp8unGbefhUBRWrICaWsXIEdtcATBY?= =?utf-8?q?XeoWuXSqPzZjRZPz9iwm88uBczR7KjQXzGz9R05T9ujGhyDkcMh7zrabIbOF1iRVX?= =?utf-8?q?a0J8sR0L+JPjqLzmG60TlHuNIi+89mC5UyDCyHxMfqJ42SE6I4SE4ejdTNkYSkwBo?= =?utf-8?q?m9pPDurmMsLcdt8Fz7ERi5+PLqZBn8pAAlKgUJ5WEVSgHZ8/Pcv2FMnRoLf+b6Mab?= =?utf-8?q?FhrCZcqn67JN0oKtIJdXk1t66yopvKQwt2bc2iLcJagSN/aAHdRP+TRmWebB2MqCL?= =?utf-8?q?72saMRQcyyP8ZZo6spgF31l8iiSvl7m4Ywl2ZJJUILccNICMFPqcFq3ucMD8Mg/Iz?= =?utf-8?q?v3HgmkWQL6tv8oj1+cldDVpCI6kzCXXPJegunXt/H7SdCt8b8JcjD/cl9t/C9Bdj3?= =?utf-8?q?wvWKaarZI2kQ0O/s6nao8o6oRst1jPJtkK8hbKyY4iemtsxV4JAp4V0=3D?= Content-ID: <717493A4141D14489ADA056D34F06239@DEUP281.PROD.OUTLOOK.COM> MIME-Version: 1.0 X-OriginatorOrg: iris-sensing.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: FR0P281MB2809.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 2cc30410-6c1d-4e86-522b-08dd6d297b5a X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2025 12:18:28.6945 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 963f3913-ffae-43fd-856b-2dfd3f6604e3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: NYhk0jWmytS/C5E5lWRMC0H7K3HqNCtMMWAg0tpSFIX31KUvX5j7FHLHJdJt5pjhrb6OUBaOUhiX8m+ixVZtay/DuHNgcmd6UP1/uHk84slpp7EvTFRD2S5VFeVgnvWu X-MS-Exchange-Transport-CrossTenantHeadersStamped: BEYP281MB4217 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Mar 2025 12:18:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/116321 On some setups, the verity partition and the corresponding hash data are handled separately. To account for this, a HASHDEV_SUFFIX is introduced to divert the hash data to a separate image artifact. By default, this suffix is equal to the image suffix, meaning that the hash data is appended to the verity image, like before. When the hash data is written to a separate file, the verity image is padded with zeroes until its size is a multiple of block_size. Signed-off-by: Erik Schumacher --- meta-oe/classes/image_types_verity.bbclass | 43 +++++++++++++++++++--- 1 file changed, 38 insertions(+), 5 deletions(-) -- 2.48.1 diff --git a/meta-oe/classes/image_types_verity.bbclass b/meta-oe/classes/image_types_verity.bbclass index b42217c453..eeade6fdd8 100644 --- a/meta-oe/classes/image_types_verity.bbclass +++ b/meta-oe/classes/image_types_verity.bbclass @@ -26,6 +26,10 @@ # should be the same blockdevice in the command shown above while # is the name of the to be created dm-verity-device. # +# By specifying a different VERITY_IMAGE_HASHDEV_SUFFIX, the hash tree data can +# be created in a separate file. In this case, is just zero padded to a +# multiple of VERITY_BLOCK_SIZE. will be a separate file. +# # The root hash is calculated using a salt to make attacks more difficult. Thus, # please grant each image recipe its own salt which could be generated e.g. via # @@ -42,6 +46,7 @@ VERITY_SALT ?= "${CLASS_VERITY_SALT}" VERITY_BLOCK_SIZE ?= "4096" VERITY_IMAGE_FSTYPE ?= "ext4" VERITY_IMAGE_SUFFIX ?= ".verity" +VERITY_IMAGE_HASHDEV_SUFFIX ?= "${VERITY_IMAGE_SUFFIX}" VERITY_INPUT_IMAGE ?= "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.${VERITY_IMAGE_FSTYPE}" IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_FSTYPE}" @@ -56,6 +61,7 @@ python __anonymous() { } python do_image_verity () { + import io import os import subprocess import shutil @@ -66,6 +72,9 @@ python do_image_verity () { verity_image_suffix = d.getVar('VERITY_IMAGE_SUFFIX') verity = '{}{}'.format(image, verity_image_suffix) + verity_image_hashdev_suffix = d.getVar('VERITY_IMAGE_HASHDEV_SUFFIX') + verity_hashdev = '{}{}'.format(image, verity_image_hashdev_suffix) + # For better readability the parameter VERITY_BLOCK_SIZE is specified in # bytes. It must be a multiple of the logical sector size which is 512 bytes # in Linux. Make sure that this is the case as otherwise the resulting @@ -87,9 +96,9 @@ python do_image_verity () { bb.debug(1, f"data_size_blocks: {data_size_blocks}, {data_size_rest}") bb.debug(1, f"data_size: {data_size}") - # Create verity image - try: - output = subprocess.check_output([ + if verity == verity_hashdev: + # creating self-contained dm-verity image + veritysetup_command = [ 'veritysetup', 'format', '--no-superblock', '--salt={}'.format(salt), @@ -98,7 +107,27 @@ python do_image_verity () { '--hash-block-size={}'.format(block_size), '--hash-offset={}'.format(data_size), verity, verity, - ]) + ] + else: + # creating separate dm-verity and hash device image + veritysetup_command = [ + 'veritysetup', 'format', + '--salt={}'.format(salt), + '--data-blocks={}'.format(data_blocks), + '--data-block-size={}'.format(block_size), + '--hash-block-size={}'.format(block_size), + verity, verity_hashdev, + ] + # veritysetup expects the data device size to be a multiple of block_size + # when creating a separate hashdev file, zero pad verity file if needed + if data_size_rest: + with open(verity, 'rb+') as verityfile: + verityfile.seek(0, io.SEEK_END) + verityfile.write(b'\x00' * (block_size - data_size_rest)) + + # Create verity image + try: + output = subprocess.check_output(veritysetup_command) except subprocess.CalledProcessError as err: bb.fatal('%s returned with %s (%s)' % (err.cmd, err.returncode, err.output)) @@ -128,7 +157,11 @@ python do_image_verity () { bb.fatal('Unexpected error %s' % err) # Create symlinks - for suffix in [ verity_image_suffix, '.verity-info', '.verity-params' ]: + suffix_list = [ verity_image_suffix, '.verity-info', '.verity-params' ] + if verity != verity_hashdev: + suffix_list.append(verity_image_hashdev_suffix) + + for suffix in suffix_list: try: os.remove(link + suffix) except FileNotFoundError: