[OpenWrt-Devel,v2,00/12] dm-verity support
mbox series

Message ID 20191121162322.671035-1-thomas.petazzoni@bootlin.com
Headers show
Series
  • dm-verity support
Related show

Message

Thomas Petazzoni Nov. 21, 2019, 4:23 p.m. UTC
Hello,

This is the second iteration of my patch series adding support for
dm-verity in OpenWRT. See below for some introduction about the
purpose of this series.

Changes since v1
================

- Rebase the patch series on the latest master.

- Make sure all patches have @bootlin.com as author, and not some
  stale @free-electrons.com

- Switch to using the upstream kernel patches to set up a DM target at
  boot time using the kernel command line, rather than patches that
  were submitted years ago and not merged.

- Make sure kernel patches are provided for both 4.14 and 4.19

- Drop the SOURCE_DATE_EPOCH usage when creating the mksquashfs image.

- Format the cryptsetup patch properly.

- Only build the host tools if CONFIG_TARGET_ROOTFS_SQUASHFS_HASHED is
  enabled

- Instead of unconditionally enabling the necessary kernel options for
  dm-verity support, we now add the appropriate options to
  config/Config-kernel.in, and select them only when needed.

- Drop empty Host/Configure rule in tools/libaio/Makefile

Introduction
============

dm-verity is a Linux kernel Device Mapper target that verifies that
the data in a block device has not been tampered with, by checking it
at runtime against a hash tree, itself verified by a root hash, which
is passed from a trusted source. dm-verity only supports read
operations, so we only support the read-only squashfs root filesystem
in this series.

This "hash tree" is a bunch of metadata that needs to be stored on
non-volatile storage. It can be appended to the filesystem data, or
stored on a separate block device/partition. We have chosen to support
only the case where it is appended to the filesystem data.

In the proposed series:

 - Patches 1-5 introduce new host packages. The first four are simply
   dependencies needed for cryptsetup, which is the tool used to
   generate the hash tree at build time.

 - Patch 6 extends the mkits.sh script so that a U-Boot script can be
   embedded in a FIT image. Indeed, to set up a dm-verity device at
   boot time, you need to pass a lot of details to the kernel that
   describe the dm-verity device, including the root hash. Those
   details need to be trusted: having them as part of the FIT image
   allows to leverage the signing capabilities of FIT images.

 - Patch 7 extends config/Config-kernel.in to be able to enable the
   appropriate kernel options for dm-verity support.

 - Patch 8 allows to create a FIT image with an embedded U-Boot
   script, leveraging the feature added in patch 6.

 - Patch 9 adds the code itself that generates the dm-verity capable
   squashfs image, and a script that produces the U-Boot script with
   the various parameters needed to setup the DM device at boot time.

 - Patch 10 adds two kernel patches that allow setting up a DM device
   at boot time, which have been backported from the upstream kernel,
   while patch 10 updates the kernel configuration to enable the
   appropriate option for dm-verity.

 - Patches 11 and 12 are just related to enabling this mechanism on
   Armada XP GP, which is the platform I used to work on this topic.

This work was tested on Armada XP GP, with both MMC and NAND storage.

One aspect that is not solved by this patch series is the logic in the
fstools programs to set up the overlay at boot time. Indeed, when
there is a squashfs filesystem, fstools assumes that it can use the
space after the squashfs filesystem for its overlay (in the MMC
storage case). It is not the case with dm-verity, because we have the
hash tree after the squashfs filesystem. This is something I intend to
work on.

Thomas Petazzoni

Thomas Petazzoni (12):
  tools/libaio: new package
  tools/lvm2: new package
  tools/popt: new package
  tools/libjson-c: new package
  tools/cryptsetup: new package
  scripts/mkits.sh: extend with -s option to include a U-Boot script
  config/Config-kernel.in: add options to enable dm-verity related
    kernel features
  include/image-commands.mk: extend Build/fit for U-Boot script
    integration
  include/image.mk: add support for building a dm-verity enabled
    squashfs image
  target/linux/generic: backport patches adding DM_INIT functionality
  target/linux/mvebu: enable UBI factory image on Armada XP GP
  target/linux/mvebu: generate a FIT image on Armada XP GP with
    dm-verity

 config/Config-images.in                       |   8 +
 config/Config-kernel.in                       |  15 +
 include/image-commands.mk                     |   1 +
 include/image.mk                              |  17 +-
 scripts/mkits.sh                              |  22 +-
 scripts/prepare-dm-verity-uboot-script.sh     |  41 ++
 ...-to-directly-boot-to-a-mapped-device.patch | 668 ++++++++++++++++++
 ...-init-fix-max-devices-targets-checks.patch |  48 ++
 ...hang-in-early-create-error-condition.patch |  49 ++
 ...ion-dm-init-fix-multi-device-example.patch |  45 ++
 ...-to-directly-boot-to-a-mapped-device.patch | 668 ++++++++++++++++++
 ...-init-fix-max-devices-targets-checks.patch |  48 ++
 ...hang-in-early-create-error-condition.patch |  49 ++
 ...ion-dm-init-fix-multi-device-example.patch |  45 ++
 target/linux/mvebu/image/cortex-a9.mk         |  15 +
 tools/Makefile                                |   3 +
 tools/cryptsetup/Makefile                     |  28 +
 .../patches/0001-dont-use-c89.patch           |  11 +
 tools/libaio/Makefile                         |  30 +
 tools/libjson-c/Makefile                      |  25 +
 tools/lvm2/Makefile                           |  47 ++
 tools/popt/Makefile                           |  22 +
 22 files changed, 1900 insertions(+), 5 deletions(-)
 create mode 100755 scripts/prepare-dm-verity-uboot-script.sh
 create mode 100644 target/linux/generic/backport-4.14/390-dm-add-support-to-directly-boot-to-a-mapped-device.patch
 create mode 100644 target/linux/generic/backport-4.14/391-dm-init-fix-max-devices-targets-checks.patch
 create mode 100644 target/linux/generic/backport-4.14/392-dm-ioctl-fix-hang-in-early-create-error-condition.patch
 create mode 100644 target/linux/generic/backport-4.14/393-Documentation-dm-init-fix-multi-device-example.patch
 create mode 100644 target/linux/generic/backport-4.19/400-dm-add-support-to-directly-boot-to-a-mapped-device.patch
 create mode 100644 target/linux/generic/backport-4.19/401-dm-init-fix-max-devices-targets-checks.patch
 create mode 100644 target/linux/generic/backport-4.19/402-dm-ioctl-fix-hang-in-early-create-error-condition.patch
 create mode 100644 target/linux/generic/backport-4.19/403-Documentation-dm-init-fix-multi-device-example.patch
 create mode 100644 tools/cryptsetup/Makefile
 create mode 100644 tools/cryptsetup/patches/0001-dont-use-c89.patch
 create mode 100644 tools/libaio/Makefile
 create mode 100644 tools/libjson-c/Makefile
 create mode 100644 tools/lvm2/Makefile
 create mode 100644 tools/popt/Makefile

Comments

Thomas Petazzoni Dec. 20, 2019, 2:04 p.m. UTC | #1
Hello,

On Thu, 21 Nov 2019 17:23:10 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> This is the second iteration of my patch series adding support for
> dm-verity in OpenWRT. See below for some introduction about the
> purpose of this series.

Unless I missed it, I don't think I have received any feedback on the
v2 of this patch series. Is there any chance of getting it merged, or
at least parts of it ?

Thanks!

Thomas Petazzoni
Thomas Petazzoni March 12, 2020, 4:07 p.m. UTC | #2
Hello,

I have received absolutely no feedback on this v2.

Would it be possible to get these patches reviewed or merged ?

Thanks a lot,

Thomas Petazzoni

On Fri, 20 Dec 2019 15:04:32 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:

> Hello,
> 
> On Thu, 21 Nov 2019 17:23:10 +0100
> Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
> 
> > This is the second iteration of my patch series adding support for
> > dm-verity in OpenWRT. See below for some introduction about the
> > purpose of this series.  
> 
> Unless I missed it, I don't think I have received any feedback on the
> v2 of this patch series. Is there any chance of getting it merged, or
> at least parts of it ?
> 
> Thanks!
> 
> Thomas Petazzoni