Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend Verity= to support hash-only verity and deferred verity-sig #3466

Merged
merged 3 commits into from
Feb 5, 2025
Merged

Extend Verity= to support hash-only verity and deferred verity-sig #3466

merged 3 commits into from
Feb 5, 2025

Conversation

DaanDeMeyer
Copy link
Contributor

No description provided.

@DaanDeMeyer
Copy link
Contributor Author

@septatrix I've reverted the changes to use signature and verity. I disagree that these need to be the same as systemd-repart. The Verity= setting in systemd-repart indicates whether a partition is the verity data, hash or signature partition. The Verity= setting in mkosi indicates whether we should do signed, hash-only or no verity at all. The settings may have the same name, but they do completely different things, hence there's no reason to use the same names as the repart setting.

@DaanDeMeyer DaanDeMeyer force-pushed the extension-repart-definitions branch from 3802a96 to b225cc9 Compare February 4, 2025 08:53
behrmann
behrmann approved these changes Feb 4, 2025
View reviewed changes
mkosi/resources/man/mkosi.news.7.md Outdated Show resolved Hide resolved
mkosi/resources/man/mkosi.1.md Outdated Show resolved Hide resolved
@DaanDeMeyer DaanDeMeyer force-pushed the extension-repart-definitions branch from b225cc9 to 1dc6000 Compare February 4, 2025 10:18
@septatrix
Copy link
Contributor

@septatrix I've reverted the changes to use signature and verity. I disagree that these need to be the same as systemd-repart. The Verity= setting in systemd-repart indicates whether a partition is the verity data, hash or signature partition. The Verity= setting in mkosi indicates whether we should do signed, hash-only or no verity at all. The settings may have the same name, but they do completely different things, hence there's no reason to use the same names as the repart setting.

I think that's fair and fine by me. One could even justify this by saying that this uses the names from sd-image-policy and "hash = verity - signed" ;)

@DaanDeMeyer DaanDeMeyer force-pushed the extension-repart-definitions branch from 1dc6000 to f2addd5 Compare February 4, 2025 11:59
hundeboll and others added 2 commits February 4, 2025 14:14
@hundeboll @DaanDeMeyer
Support unsigned verity backed extension/portable images
d9c64f0 
Building an unsigned extension image with verity hashes provides data
integrity without needing a certificate on the target machine.

Note that systemd-dissect and systemd-sysext doesn't automatically
use the verity data has partition for validation. Both tools enables
validation if the user.verity.roothash xattr is set for the image.
For systemd-dissect, one can use the --root-hash option to enable the
validation.

The root hash can be obtained by concatenating the partition uuid's for
the root and the root-verity partitions.
@DaanDeMeyer
Add "defer" setting for Verity
1f60496 
This defers the creation of the verity-sig partition which is useful
when doing offline signing.
@DaanDeMeyer DaanDeMeyer force-pushed the extension-repart-definitions branch from f2addd5 to 1f60496 Compare February 4, 2025 13:15
bluca
bluca approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@bluca bluca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this change in OBS for the deferred option and works nicely

@bluca bluca merged commit 4f74274 into systemd:main Feb 5, 2025
35 checks passed
@hundeboll
Copy link
Contributor

@DaanDeMeyer Thanks for finishing this. I was back late from FOSDEM, and then had to overcome the flu I picked up while there...

@DaanDeMeyer
Copy link
Contributor Author

@DaanDeMeyer Thanks for finishing this. I was back late from FOSDEM, and then had to overcome the flu I picked up while there...

@hundeboll No worries, thanks for doing the initial work. You should have come say hi at FOSDEM, we (mkosi/systemd maintainers) were there as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@septatrix septatrix septatrix left review comments

@bluca bluca bluca approved these changes

@behrmann behrmann behrmann approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@DaanDeMeyer @septatrix @hundeboll @bluca @behrmann